From 96a5c1c80e49e800716ba97becf574de0505a69f Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 11:57:51 +0000
Subject: [PATCH 1/5] case insensitive replacement of `<?php`

---
 src/View/Antlers/Language/Utilities/StringUtilities.php | 2 +-
 tests/Antlers/Runtime/PhpEnabledTest.php                | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/View/Antlers/Language/Utilities/StringUtilities.php b/src/View/Antlers/Language/Utilities/StringUtilities.php
index 997b17182ac..134b59d44e2 100644
--- a/src/View/Antlers/Language/Utilities/StringUtilities.php
+++ b/src/View/Antlers/Language/Utilities/StringUtilities.php
@@ -79,7 +79,7 @@ public static function containsSymbolicCharacters($text)
      */
     public static function sanitizePhp($text)
     {
-        $text = str_replace('<?php', '&lt;?php', $text);
+        $text = str_ireplace('<?php', '&lt;?php', $text);
 
         // Also replace short tags if they're enabled.
         if (ini_get('short_open_tag')) {
diff --git a/tests/Antlers/Runtime/PhpEnabledTest.php b/tests/Antlers/Runtime/PhpEnabledTest.php
index 63f02d46296..d59afeb6d74 100644
--- a/tests/Antlers/Runtime/PhpEnabledTest.php
+++ b/tests/Antlers/Runtime/PhpEnabledTest.php
@@ -608,4 +608,12 @@ public function test_disabled_php_node_inside_user_values()
 
         GlobalRuntimeState::$allowPhpInContent = false;
     }
+
+    public function test_sanitize_php_is_case_insensitive()
+    {
+        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?php echo "test"; ?>'));
+        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?PHP echo "test"; ?>'));
+        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?Php echo "test"; ?>'));
+        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?pHp echo "test"; ?>'));
+    }
 }

From ca0983104895300ff8b81daab95c49e1c976ed6b Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 11:58:01 +0000
Subject: [PATCH 2/5] short echo tags

---
 src/View/Antlers/Language/Utilities/StringUtilities.php | 4 ++++
 tests/Antlers/Runtime/PhpEnabledTest.php                | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/src/View/Antlers/Language/Utilities/StringUtilities.php b/src/View/Antlers/Language/Utilities/StringUtilities.php
index 134b59d44e2..38f8a6afcab 100644
--- a/src/View/Antlers/Language/Utilities/StringUtilities.php
+++ b/src/View/Antlers/Language/Utilities/StringUtilities.php
@@ -81,6 +81,10 @@ public static function sanitizePhp($text)
     {
         $text = str_ireplace('<?php', '&lt;?php', $text);
 
+        // Always replace short echo tags (<?=) — enabled since PHP 5.4
+        // regardless of short_open_tag setting.
+        $text = str_replace('<?=', '&lt;?=', $text);
+
         // Also replace short tags if they're enabled.
         if (ini_get('short_open_tag')) {
             $xmlPlaceholder = '__XML_PLACEHOLDER'.Str::uuid();
diff --git a/tests/Antlers/Runtime/PhpEnabledTest.php b/tests/Antlers/Runtime/PhpEnabledTest.php
index d59afeb6d74..76b954100d4 100644
--- a/tests/Antlers/Runtime/PhpEnabledTest.php
+++ b/tests/Antlers/Runtime/PhpEnabledTest.php
@@ -616,4 +616,10 @@ public function test_sanitize_php_is_case_insensitive()
         $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?Php echo "test"; ?>'));
         $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?pHp echo "test"; ?>'));
     }
+
+    public function test_sanitize_php_handles_short_echo_tag()
+    {
+        $this->assertSame('&lt;?= $var ?>', StringUtilities::sanitizePhp('<?= $var ?>'));
+        $this->assertSame('&lt;?="test"?>', StringUtilities::sanitizePhp('<?="test"?>'));
+    }
 }

From 3543fda0f5aba7a8a36a9ac8015bebd3ff33a3bb Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 17:06:27 +0000
Subject: [PATCH 3/5] wip

---
 .../Language/Utilities/StringUtilities.php      | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/src/View/Antlers/Language/Utilities/StringUtilities.php b/src/View/Antlers/Language/Utilities/StringUtilities.php
index 38f8a6afcab..f114e64344e 100644
--- a/src/View/Antlers/Language/Utilities/StringUtilities.php
+++ b/src/View/Antlers/Language/Utilities/StringUtilities.php
@@ -79,19 +79,10 @@ public static function containsSymbolicCharacters($text)
      */
     public static function sanitizePhp($text)
     {
-        $text = str_ireplace('<?php', '&lt;?php', $text);
-
-        // Always replace short echo tags (<?=) — enabled since PHP 5.4
-        // regardless of short_open_tag setting.
-        $text = str_replace('<?=', '&lt;?=', $text);
-
-        // Also replace short tags if they're enabled.
-        if (ini_get('short_open_tag')) {
-            $xmlPlaceholder = '__XML_PLACEHOLDER'.Str::uuid();
-            $text = str_replace('<?xml', $xmlPlaceholder, $text);
-            $text = str_replace('<?', '&lt;?', $text);
-            $text = str_replace($xmlPlaceholder, '<?xml', $text);
-        }
+        $xmlPlaceholder = '__XML_PLACEHOLDER'.Str::uuid();
+        $text = str_replace('<?xml', $xmlPlaceholder, $text);
+        $text = str_replace('<?', '&lt;?', $text);
+        $text = str_replace($xmlPlaceholder, '<?xml', $text);
 
         return $text;
     }

From 898d63dcdec20654032c2d8573603368eac6ba00 Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 17:08:16 +0000
Subject: [PATCH 4/5] update tests

---
 tests/Antlers/Runtime/PhpEnabledTest.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/Antlers/Runtime/PhpEnabledTest.php b/tests/Antlers/Runtime/PhpEnabledTest.php
index 76b954100d4..2c5c9980b9d 100644
--- a/tests/Antlers/Runtime/PhpEnabledTest.php
+++ b/tests/Antlers/Runtime/PhpEnabledTest.php
@@ -612,9 +612,9 @@ public function test_disabled_php_node_inside_user_values()
     public function test_sanitize_php_is_case_insensitive()
     {
         $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?php echo "test"; ?>'));
-        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?PHP echo "test"; ?>'));
-        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?Php echo "test"; ?>'));
-        $this->assertSame('&lt;?php echo "test"; ?>', StringUtilities::sanitizePhp('<?pHp echo "test"; ?>'));
+        $this->assertSame('&lt;?PHP echo "test"; ?>', StringUtilities::sanitizePhp('<?PHP echo "test"; ?>'));
+        $this->assertSame('&lt;?Php echo "test"; ?>', StringUtilities::sanitizePhp('<?Php echo "test"; ?>'));
+        $this->assertSame('&lt;?pHp echo "test"; ?>', StringUtilities::sanitizePhp('<?pHp echo "test"; ?>'));
     }
 
     public function test_sanitize_php_handles_short_echo_tag()

From c7c302f7205dd5a96bf9ca54a1590ea332299a69 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 19 Mar 2026 19:50:58 -0400
Subject: [PATCH 5/5] Add short open tag test to PHP sanitization tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 tests/Antlers/Runtime/PhpEnabledTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/Antlers/Runtime/PhpEnabledTest.php b/tests/Antlers/Runtime/PhpEnabledTest.php
index 2c5c9980b9d..5f31dda431c 100644
--- a/tests/Antlers/Runtime/PhpEnabledTest.php
+++ b/tests/Antlers/Runtime/PhpEnabledTest.php
@@ -617,9 +617,10 @@ public function test_sanitize_php_is_case_insensitive()
         $this->assertSame('&lt;?pHp echo "test"; ?>', StringUtilities::sanitizePhp('<?pHp echo "test"; ?>'));
     }
 
-    public function test_sanitize_php_handles_short_echo_tag()
+    public function test_sanitize_php_handles_short_tags()
     {
         $this->assertSame('&lt;?= $var ?>', StringUtilities::sanitizePhp('<?= $var ?>'));
         $this->assertSame('&lt;?="test"?>', StringUtilities::sanitizePhp('<?="test"?>'));
+        $this->assertSame("&lt;? echo 'test' ?>", StringUtilities::sanitizePhp("<? echo 'test' ?>"));
     }
 }