Anthony Ferrara wrote: > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > RM's feedback). > > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true); > > What I'm proposing is to disable entity loading by default. That way > it requires developers to opt-in to actually load external entities. > > Thoughts?
A problem is reported as bug #62577. As it is now, when libxml_disable_entity_loader(true) has been called, no XML file can be loaded, i.e. simplexml_load_file(), DOMDocument::load() etc. always fails, even if the XML doesn't contain any entities at all. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
