This is part two of a multi-series on using the
zend-view as a stand-alone library. The code is available on https://github.com/lorenzoferrarajr/zend-view-examples.
- Part one: How to render html using Zend View
- Part two: LFI Protection and PHAR support from TemplatePathStack
TemplatePathStack resolver by default is configured so that you can't use parent directory traversal in the view paths. This means you can't use
..\ when referencing a view.
This limit is imposed for security reasons. The feature is called LFI protection (Local File Inclusion Protection) and it's implemented because one must not be able to reference files outside a predefined root.
LFI protection can be disabled via configuration. The
TemplatePathStack accepts an option key named
lfi_protection which can be set to false:
$resolver = new \Zend\View\Resolver\TemplatePathStack([ 'script_paths' => [ 'view/', ], 'lfi_protection' => false ]);
Without the previous configuration, any of the following calls to the
render method would have failed:
$renderer = new \Zend\View\Renderer\PhpRenderer(); $renderer->setResolver($resolver); $content = $renderer->render('sub1/../../view/view-1'); $content = $renderer->render('../view/view-1');
Just for clarity: if the view script file path starts with a slash, it means that the actual file will be searched starting from the
script_paths roots configured in the
TemplatePathStack, not the root of the hard drive.
Another feature of the
TemplatePathStack resolver is the support of
phar files. These files are treated as source paths and are configured just as the directories:
$resolver = new \Zend\View\Resolver\TemplatePathStack([ 'script_paths' => [ 'phar://'.__DIR__.'/view.phar', ], ]);
View scripts contained in the
phar file are rendered just as the other view scripts.