Browser not interpreting php code

Question

I am using ckeditor in a simple cms i build with the following configuration.

  <script>
        if ($("#editor").length) {
        CKEDITOR.replace('editor', {
        language: 'en',
        allowedContent: true,
        });
        CKEDITOR.config.protectedSource.push(/<\?[\s\S]*?\?>/g);
        }
                </script>

It works great if go to the source tab on the editor and type some php code like the following:

<?php echo "hello"; ?>

it gets saved on the database as <?php echo "hello"; ?> so far so good

Now my problem is when getting that from the database and displaying it on the browser it does no appear.

I did a var_dump on the variable that has the code and i see the following:

...modules\pages\views\base.php:38:string '<?php echo "hola"; ?>' (length=21)

So the value does exist and its reaching the view, i dont undestand why it is not showing up on the page.

the page is template.php if i look at the source code my php code is beingg commented

<!--?php echo "hola"; ?-->

and this is how i am trying to display the code if i do the following

 <div class="article-content-container">
    <?php   echo $this->security->xss_clean($content);   ?>
</div>

it is displayed like

<div class="article-content-container">
                            &lt;?php echo "hola"; ?&gt;<!--?php echo "hola"; ?-->                          
                        </div>

if i displayed like this

 <div class="article-content-container">
        <?php   echo $content;   ?>
    </div>

it gets commented.

I hope i was clear,any help would be appretiated.

Thanks guys-

Answer 1

Browsers don't interpret PHP code, and they don't know the slightest thing about it. They never have and they never will. PHP code is executed on the server; from there it produces some output that is echoed to the client's browser, usually HTML, but can also be CSS or JavaScript, images or other downloadable files.

If you output PHP code, the most the visitor can do with it is manually save it to a local file, install their own PHP software, and run it in that. It's never going to magically run in the browser, no matter what you do.

If you want to run some code in the browser, it must be JavaScript. If you want to run some PHP code on the server, don't echo it, eval it:

<div class="article-content-container">
    <?php eval($content); ?>
</div>

Note that eval treats its input as already having a PHP open tag, so you would pass echo "hello"; to it rather than <?php echo "hello"; ?>. You can still use ?> within the eval'd code to drop back to HTML+PHP mode if you need to.

Either PHP or JavaScript code could trivially be designed to be hostile, and so submitting any markup or code for execution on your website must be treated as a privileged action. You must make sure not to allow anyone who is not an authenticated administrator of your website to do it. There are ways to sandbox or purify such code if you really have to allow random people to run it, but that is more complex. CodeIgniter's xss_clean is an incomplete attempt to stop XSS, and is certainly not designed for executing user-submitted code safely, although it will mangle code and make it annoying to write.

In general:

• If you need to execute submitted PHP then use eval($content);.

• If you need to output submitted HTML, which may include executable JavaScript, then use echo $content;.

• If you need to output submitted plain text (which is the only form where it is normally safe to allow input from users), then use echo htmlspecialchars($content);.

Answer 2

If you don't save your php tags in the database, you could use eval() for running the saved code:

eval($this->security->xss_clean($content));

Only when the saved bit is not surrounded by <?php and/or ?>

EDIT: Letting people run code from a database or even saving code in a database is a potential risk. It could be exploited.