Use func_get_arg(0) vs $template

Paul M. Jones · web-flow · commit 6bb302549e87 · 2017-07-05T14:57:00.000-05:00
This makes it more-obvious to casual reviewers that $template cannot be replaced by the extract() call, and thus is not a security vulnerability.
diff --git a/src/PhpRenderer.php b/src/PhpRenderer.php
@@ -185,6 +185,6 @@ public function fetch($template, array $data = []) {
      */
     protected function protectedIncludeScope ($template, array $data) {
         extract($data);
-        include $template;
+        include func_get_arg(0);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,6 @@ public function fetch($template, array $data = []) {`
`185`	`185`	`*/`
`186`	`186`	`protected function protectedIncludeScope ($template, array $data) {`
`187`	`187`	`extract($data);`
`188`		`- include $template;`
	`188`	`+ include func_get_arg(0);`
`189`	`189`	`}`
`190`	`190`	`}`