Hi,

When using book/export/html, the resulting page shows the php code if the node contains such content type. There is no setting to turns this off AFAIK. I consider this to be a security threat for any sites using PHP code in node body.

Comments

puregin’s picture

puregin commented
Status: Active » Closed (duplicate)

This is a duplicate issue; see http://drupal.org/node/42517.

This does not happen for all PHP pages - only where the PHP is broken I suspect.

mansion’s picture

mansion commented

I am surprised. The Zen guy knows that this bug discloses PHP code and downgraded it from 'critical' to 'normal' just for the purpose of decreasing the issue queue ? That's pretty stupid. In case he doesn't realize, disclosing PHP code may mean showing passwords, file paths and other secret information to anonymous users. And guess what, this content can also be indexed by Google and available to the world forever.

About your comment:

1. Have you read the description of the other bug ? If yes, how can you consider it is a duplicate ? Please let me know, you must be clever than I am.

2. The PHP code in the node is not broken. Filters are simply not applied to the content before it is displayed. So please stop suspecting, and start investigating, or just shut up. It only adds noise and it doesn't help.

In case you still haven't realized it, this is a security issue.