(PHP 5 >= 5.2.11, PHP 7)

libxml_disable_entity_loaderDésactive le chargement des entités externes


libxml_disable_entity_loader ([ bool $disable = TRUE ] ) : bool

Active ou désactive le chargement des entités externes.

Liste de paramètres


Désactive (TRUE) ou active (FALSE) le chargement des entités externes par les extensions libxml (telles que DOM, XMLWriter et XMLReader).

Valeurs de retour

Retourne la configuration précédente.

Voir aussi

add a note add a note

User Contributed Notes 5 notes

6 years ago
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

You'll see it in an example where I load and validate the following string:

<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>

One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
phofstetter at sensational dot ch
4 years ago
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
vavra at 602 dot cz
1 year ago
If is called

, it causes that new SoapClient(.) fails with

SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl

because this wsdl imports a xsd as an another external file.
Tested on php 7.1.12, win x64.
daschtour at me dot com
5 years ago
This function was reported to be not thread safe. So this might affect php-scripts on the same server.
brendan at bloodbone dot ws
4 years ago
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
To Top