eval() should never be used

  • Critical
  • Security

More information: https://insight.sensiolabs.com/what-we-analyse/php.use_php_eval_function

  1. {
  2. $arrayContext = json_decode(json_encode($context), true);
  3. // Prevents leaking global variable by forcing anonymous scope
  4. $render = function($templateString, array $context) {
  5. extract($context);
  6. return eval('?>'.$templateString);

    eval() is very dangerous because it allows execution of arbitrary PHP code. Avoid using it, especially when including user input.

    Time to fix: about 1 day
    Open Issue Permalink
    Last edited by Mathieu Ducharme
  7. };
  8. ob_start();
  9. $render($templateString, $arrayContext);
  10. $output = ob_get_clean();
  • mducharme

    Needed to include custom PHP scripts.