I'm wondering if there is any good way to prevent direct access to html files in Fat Free Framework...
So the intended way would be to call a route like /login. However, with the default configuration, users could also access /ui/login.html and get the html file directly, eventually displaying {{@variable}} content, which users shouldn't see...
Unfortunately, I didn't find a way to prevent this so far, neither with PHP methods directly, or into Fat Free Framework.. How could this be done?
This could be done with some .htaccess magic where any access to your .htm[l] files are sent a 404, but the proper way to do this is to actually get them out of your public directory. Like you just pointed out, it's a security risk to have those unrendered files there. Usually an app is setup like the following:
app/
config/
controllers/
ui/
mappers/
etc...
public/
index.php (where your fat free index file is that defines your autoloads, config, etc)
vendor/
(composer stuff)
If I were in your shoes, I would move your /ui/ files to a folder outside the public folder and then just change the UI hive variable to point to something like __DIR__.'/../app/ui/' instead which ultimately would solve your problem.
Also, I hope your config file isn't in the public folder! That shouldn't there either (or committed in your code repository!)