Title: Plugin includes PHP tags in its output Last modified: March 19, 2026 --- # Plugin includes PHP tags in its output * [DavidH64](https://wordpress.org/support/users/davidh64/) * (@davidh64) * [2 months, 2 weeks ago](https://wordpress.org/support/topic/plugin-includes-php-tags-in-its-output/) * This extension includes PHP tags/code in its backend output. The culprit is the file under `nextgen-gallery/templates/AttachToPost/tinymce_placeholder.php`: * ```wp-block-code ``` * This code is included as is in the `/wp-admin/` backend, for example when accessing the comments (`/wp-admin/edit-comments.php`). While this in itself isn’t a security risk, PHP tags or code must not be included in the HTML output. In my case, this issue triggers my WAF (web application firewall) which tries to block any responses that contain PHP code. The inclusion likely happens in `nextgen-gallery/src/IGW/ ATPManager.php`: * ```wp-block-code /** * Renders the underscore template used by TinyMCE for IGW placeholders */ public function print_tinymce_placeholder_template() { $view = new View( 'AttachToPost/tinymce_placeholder', [], 'photocrati-attach_to_post#tinymce_placeholder' ); $template = $view->find_template_abspath( 'AttachToPost/tinymce_placeholder', 'photocrati-attach_to_post#tinymce_placeholder' ); readfile( $template ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_readfile } ``` * Two suggestion on how to solve this: - Remove `` tags from `tinymce_placeholder.php` altogether and make it an HTML file instead - Parse the php file and only output the HTML portion Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Support [Mihai](https://wordpress.org/support/users/mceban/) * (@mceban) * [1 month, 1 week ago](https://wordpress.org/support/topic/plugin-includes-php-tags-in-its-output/#post-18896541) * Hi [@davidh64](https://wordpress.org/support/users/davidh64/) , * Sorry for the late reply and thank you for the detailed report. * I’ve created an issue report for our development team and they’ll look into solving it in one of the next plugin updates. * In the meantime, if your WAF allows path-based or response-body exclusions, consider adding a rule to exempt the WP admin (`/wp-admin/`) from that specific PHP-code- in-response check as a temporary workaround, keeping in mind this might not align with your security policy. * Best regards, * Thread Starter [DavidH64](https://wordpress.org/support/users/davidh64/) * (@davidh64) * [4 days, 12 hours ago](https://wordpress.org/support/topic/plugin-includes-php-tags-in-its-output/#post-18927808) * [@mceban](https://wordpress.org/support/users/mceban/) any update on this? the most recent releases still contain this php code in its output…. Viewing 2 replies - 1 through 2 (of 2 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fplugin-includes-php-tags-in-its-output%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/nextgen-gallery/assets/icon-256x256.png?rev=2083961) * [Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery](https://wordpress.org/plugins/nextgen-gallery/) * [Frequently Asked Questions](https://wordpress.org/plugins/nextgen-gallery/#faq) * [Support Threads](https://wordpress.org/support/plugin/nextgen-gallery/) * [Active Topics](https://wordpress.org/support/plugin/nextgen-gallery/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/nextgen-gallery/unresolved/) * [Reviews](https://wordpress.org/support/plugin/nextgen-gallery/reviews/) ## Tags * [php](https://wordpress.org/support/topic-tag/php/) * [waf](https://wordpress.org/support/topic-tag/waf/) * 2 replies * 2 participants * Last reply from: [DavidH64](https://wordpress.org/support/users/davidh64/) * Last activity: [4 days, 12 hours ago](https://wordpress.org/support/topic/plugin-includes-php-tags-in-its-output/#post-18927808) * Status: not a support question