Nope, this file cannot be used for any kind of injection. This is the error handler. Watchful mistakenly reports it because they see the string “exec”. However, we do not use the PHP function exec(). The string appears in the line defined('_JEXEC') or die(); which protects against direct access to the file and in the PHP configuration variable name
max_execution_time (which is output after being properly escaped with
Likewise, we do dump the server superglobals ($_GET, $_POST, $_COOKIE, $_REQUEST) again after passing them through htmlentities to avoid other injection attacks, just like we do with any kind of output.
If Watchful believes otherwise they can tell us what they believe is a PHP injection vulnerability so I can tell them exactly why they are wrong.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!