I started developing a custom theme for wordpress and I noticed an evident bug, which seems strange to me given the ‘size’ and popularity of WordPress.
WordPress uses a convention so that files named like page_mytemplatename.php are considered “page templates” and are parsed in order to populate the “Template” dropdown in page edit options.
It is known, intended and documented that writing a comment in a page template file stating
/* Template Name: myCustomTemplateNameHere */
tells wordpress to add “myCustomTemplateNameHere” to the dropdown.
Now… I would expect wordpress to be smart enough to look for the “Template Name: xxxx” pattern only in the first comment (and only if the first comment is the first thing at all in the .php file!) but instead I found that writing “template name: xxxxxxx” somewhere in ANY template OR in any file which is INCLUDED via ‘include’ or ‘require’ directive, causes wordpress to actually populate the menu with wathever garbage is written after the colon, even php code itself!
for example, a statement like this, in the middle of a file even indirectly included by ‘include’ directive
echo "current template name: " . $tpl_name;
will cause the appearance of a ” . $tpl_name; template in the dropdown!
To my opinion, this seems totally unckecked and may lead to security issues in wordpress! this could potentially lead to some sort of injection, even thou I must admit it would be tricky to get there…
anyway, the fact that we seem not to be free to write a comment like
/* writing template name: namehere would cause wordpress to populate a dropdown */
or even writing code containing the sequence of characters “Template name: xxxx” without actually causing the side effect sounds like a bug to me.
also, I noticed it happens even if template name: xxxx is written inside included or required files… why this happens. does wordppress parse ALL files or even look for includes and parse included files? this would seem tricky and terribly wrong to me!
did I manage to show my point?
I am running WordPress 4.3.1 (pretty much the latest at the time of this writing)
can someone confirm this to be a bug I should keep in mind while I write my theme?
thank you.
I’ve run some experiments in WordPress 4.3.1, and the following are my results:
As intended / you would expect, comments in this form, anywhere on a page:
result: Does get listed as a template
Straight html in a page template:
result: does get listed as a template
PHP code as a comment, like so:
result: does get listed as a template
PHP code NOT as a comment, like so:
result: surprisingly, this DOES get listed as a template (the template name listed is
' . $foobar;
)Examining the WP core code that parses templates, it loads all
.php
files in the theme, and then looks for the following regular expression in the contents of the PHP:Conclusion: