Execute a PHP function that returns an array from an XSL file

I am also a noob when it comes to XSL. To be honest, I had no idea it could be this powerful... and dangerous. But I will have a shot at this anyway.

I don't know if it is possible to get the output from a function returning an array. Perhaps you can nest function calls somehow? But given my lack of knowledge about XSL I can't tell you how. So lets work around the whole problem instead. Is there a way to get the directory listing without having to deal with arrays at all?

Enters the PHP manual. The two following functions look useful:

resource opendir ( string $path [, resource $context ] )

Opens up a directory handle to be used in subsequent closedir(), readdir(), and rewinddir() calls.

string readdir ([ resource $dir_handle ] )

Returns the name of the next entry in the directory. The entries are returned in the order in which they are stored by the filesystem. [...] If the directory handle is not specified, the last link opened by opendir() is assumed.

So you will not be able to get the resource from opendir, but since readdir kindly assumes you want to read from the last resource it might work anyway. I suggest an attack file with something like this:

<xsl:value-of select="php:function('opendir','/some/where/')"/>
<xsl:value-of select="php:function('readdir')"/>
<xsl:value-of select="php:function('readdir')"/>
<xsl:value-of select="php:function('readdir')"/>
...

Edit: Apparently there is an undocumentet php:functionString() that "will automatically convert output to a string", according to a comment on php.net. Not sure if it helps, but worth a try.