1--TEST--
2libxml_disable_entity_loader()
3--EXTENSIONS--
4libxml
5dom
6xml
7simplexml
8--FILE--
9<?php
10
11$xml = <<<EOT
12<?xml version="1.0" encoding="UTF-8"?>
13<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
14<foo>&xxe;</foo>
15EOT;
16
17$dir = str_replace('\\', '/', __DIR__);
18$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
19
20function parseXML1($xml) {
21  $doc = new DOMDocument();
22  $doc->loadXML($xml, 0);
23  return $doc->saveXML();
24}
25
26function parseXML2($xml) {
27  return simplexml_load_string($xml);
28}
29
30function parseXML3($xml) {
31  $p = xml_parser_create();
32  xml_parse_into_struct($p, $xml, $vals, $index);
33  xml_parser_free($p);
34  return var_export($vals, true);
35}
36
37function parseXML4($xml) {
38  // This is the only time we enable external entity loading.
39  return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
40}
41
42var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
43var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
44var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
45var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
46
47echo "Done\n";
48?>
49--EXPECT--
50bool(true)
51bool(true)
52bool(true)
53bool(false)
54Done
55