Hi! > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true);
AFAIR right now, due to how it is implemented, this blocks loading XML content from files with something like XMLReader::open() - due to the use of the same code path by both. It may have changes since last time I looked, but it definitely was a major reason why default stayed that way. What people did is something like that: libxml_disable_entity_loader( false ); $reader->open( $filename ); libxml_disable_entity_loader( true ); I imagine we could do better. But we need to be careful - if we just set it as disabled, we could break a lot of unsuspecting apps that do nothing more that reading XML files. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
