While difficult, sandboxing PHP for use as a template language is not impossible. We’ve been doing it since 1999 in Ariadne. Initially using a flawed approach based on parsing the PHP code with regular expressions, we’ve updated the process to use a full scanner/parser setup that understands the full PHP syntax.

We’ve called this contraption PINP (for PINP Is Not PHP). It allows you to specify a white list of functions that are ok to use. All other functions are rewritten with a configurable prefix. The same thing is done with variables, so the template writer doesn’t have access to any variable or function, except what you provide.

To make it extra clear that you are not in a full PHP environment when editing a PINP template, we’ve changed the start and end strings for code blocks from <?php and ?> to <pinp> and </pinp> respectively. But this is easy to change back.

The current version disallows ‘new’, so you need to provide factory methods if you want template writers to create new objects. It also rewrites method calls and property names with a ‘_’ prefix. This is because it was designed for PHP3 and PHP4 where you had no private or protected methods or properties. Static method calls are also rewritten, the class name is prefixed with ‘pinp_’.

PINP compiles the template to PHP, you are responsible for saving the PHP code somewhere and running it as a template. E.g.:

  $whitelist = 'header|myAppFunction|..';
  $pinp = new pinp($whitelist, 'this->', '$this->');
  $compiled = $pinp->compile($template);
 

This will prefix all variable access with ‘this->‘, so $foo will become $this->foo. All function calls are prefixed with ‘$this->‘, so bar() becomes $this->bar(), unless bar is listed in the function whitelist.

Running the compiled template can be done in a number of ways, depending on how you save it. The simplest way is to include the compiled file in the correct spot, e.g.:

  class sandbox() {
    function runme($compiledTemplatePath) {
      include($compiledTemplatePath);
    }
  }

  $sandbox = new sandbox();
  $sandbox->runme($aTemplatePath);
 

This does require that your web application has write access somewhere to store these compiled templates. You could also store the compiled templates in a database, but then you’ll need eval() or create_function() to run the code, or you could use a custom stream wrapper in PHP5.

The current version doesn’t support exceptions or namespaces. It will return an error if it finds such code. On the plus side, the pinp compiler will happily run in a PHP4 environment, and actually allows templates there to use method chaining and even array comprehension. It also allows you to check for syntax errors, so you can generate a warning when saving an incorrect template. The compiled template doesn’t change the line numbers of the code, so any error PHP generates later can be traced back to the correct line in the uncompiled template.