strpos is technically insufficient. Verify that the position returned is the last 4 characters of the filename, because people do weird things like name files myfile.phpeditor.wark and that would get caught by a flat strpos check.
As far as javascript files… any HTML file can carry a javascript payload that can be executed, but it would be a client-side script at that point, not a server-side one.
As suggested I created a myfile.phpeditor.wark with PHP content :
tried in three browsers:
a. Opera displayed PHP content
b. Chromium displayed PHP content
c. Firefox displayed a blank screen
It looks as though Apache2 only recognises PHP extensions and prevents non PHP files from running.
The thought did occur that JavaScript maybe could be used to rename a file such as index.html to index.php.. Activating the renamed file could create havoc
I updated and completely revamped the site. Full page view is now possible and ideal for mobiles and laptops. Pasting HTML script into the following we-page automatically adds the page to Default.zip. Not even a Zip Name or filename is required
Wherever the file has a lowercase .php extension I appended .txt. This seems adequate because I am just concerned about preventing the .php file from being called.
Viewing the content as a .txt file seems hamless and hopefully will not cause any problems.