sigmasternchen/php-doc-en
1
0
Fork 0
mirror of https://github.com/sigmasternchen/php-doc-en synced 2025-03-20 10:58:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
php-doc-en/reference/libxml/functions/libxml-disable-entity-loader.xml
Juliette f3b5475eeb
PHP 8.0 migration/deprecated: expand on libxml_disable_entity_loader() (#528) 
The current text in the migration guide about the deprecation of `libxml_disable_entity_loader()` is misleading and can easily lead to the introduction of XXE vulnerable code.

In select circumstances, when `LIBXML_NOENT` is used, code can still be vulnerable to XXE attacks, even on PHP 8.0.
So I'm proposing to add an appropriate warning and mention the upgrade path in the migration guide.

Includes fixing a typo on the `libxml_disable_entity_loader()` page.

Co-authored-by: jrfnl <jrfnl@users.noreply.github.com>
2021-04-16 10:44:07 +02:00

128 lines
3.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xml:id="function.libxml-disable-entity-loader" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
<refnamediv>
<refname>libxml_disable_entity_loader</refname>
<refpurpose>Disable the ability to load external entities</refpurpose>
</refnamediv>
<refsynopsisdiv>
&warn.deprecated.function-8-0-0;
</refsynopsisdiv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type>bool</type><methodname>libxml_disable_entity_loader</methodname>
<methodparam choice="opt"><type>bool</type><parameter>disable</parameter><initializer>&true;</initializer></methodparam>
</methodsynopsis>
<para>
Disable/enable the ability to load external entities.
Note that disabling the loading of external entities may cause general issues
with loading XML documents. However, as of libxml 2.9.0 entity substitution
is disabled by default, so there is no need to disable the loading of external
entities,
unless there is the need to resolve internal entity references with <constant>LIBXML_NOENT</constant>.
Generally, it is preferable to use <function>libxml_set_external_entity_loader</function>
to suppress loading of external entities.
</para>
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>disable</parameter></term>
<listitem>
<para>
Disable (&true;) or enable (&false;) libxml extensions (such as
<xref linkend="book.dom" />, <xref linkend="book.xmlwriter" />
and <xref linkend="book.xmlreader" />) to load external entities.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
Returns the previous value.
</para>
</refsect1>
<!--
<refsect1 role="errors">
&reftitle.errors;
<para>
When does this function issue E_* level errors, and/or throw exceptions.
</para>
</refsect1>
-->
<!--
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title><function>libxml_disable_entity_loader</function> example</title>
<para>
Any text that describes the purpose of the example, or what
goes on in the example should be here.
</para>
<programlisting role="php">
<![CDATA[
<?php
/* ... */
?>
]]>
</programlisting>
&example.outputs.similar;
<screen>
<![CDATA[
...
]]>
</screen>
</example>
</para>
</refsect1>
-->
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>libxml_use_internal_errors</function></member>
<member><function>libxml_set_external_entity_loader</function></member>
<member><link linkend="libxml.constants">The <constant>LIBXML_NOENT</constant> constant</link></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
Reference in a new issue View git blame Copy permalink