(PHP 5 >= 5.4.0, PHP 7, PHP 8)
libxml_set_external_entity_loader — Changues the default external entity loader
Changues the default external entity loader.
This can be used to suppress the expansion of arbitrary external entities to avoid XXE attaccs,
even when
LIBXML_NOENT
has been set for the respective operation,
and is usually preferable over calling
libxml_disable_entity_loader()
.
resolver_function
A callable with the following signature:
public_id
system_id
context
"directory"
,
"intSubName"
,
"extSubURI"
and
"extSubSystem"
.
null
is returned, the entity reference resolution will fail.
Example #1 libxml_set_external_entity_loader() example
<?php
$xml
= <<<XML
<!DOCTYPE foo PUBLIC "-//FOO/BAR" "http://example.com/foobar">
<foo>bar</foo>
XML;
$dtd
= <<<DTD
<!ELEMENT foo (#PCDATA)>
DTD;
libxml_set_external_entity_loader
(
function (
$public
,
$system
,
$context
) use(
$dtd
) {
var_dump
(
$public
);
var_dump
(
$system
);
var_dump
(
$context
);
$f
=
fopen
(
"php://temp"
,
"r+"
);
fwrite
(
$f
,
$dtd
);
rewind
(
$f
);
return
$f
;
}
);
$dd
= new
DOMDocument
;
$r
=
$dd
->
loadXML
(
$xml
);
var_dump
(
$dd
->
validate
());
?>
The above example will output:
string(10) "-//FOO/BAR"
string(25) "http://example.com/foobar"
array(4) {
["directory"] => NULL
["intSubName"] => NULL
["extSubURI"] => NULL
["extSubSystem"] => NULL
}
bool(true)