A website accepts form input and outputs it to the screen, but replaces every <? to <--? turning them to comments.
Let's say I POST the following:
<?php echo "xy"; /* arbitrary php code */
and I want to get it running. Is there any way to inject something between the < and ? characters that gets skipped during php parsing?
No. PHP will parse the php file looking for either <?php, <? or <?= (depending on the value of short_tags)
However, outputting <?php to the screen would not execute code. It would need to have been evaluated (eg. saved to a .php file in the server that you then run). This form is probably vulnerable to XSS, though.
