diff options
| author | Paweł Sroka <srokap@gmail.com> | 2014-01-01 13:12:24 +0100 |
|---|---|---|
| committer | Paweł Sroka <srokap@gmail.com> | 2014-01-01 13:12:24 +0100 |
| commit | 53509917fd2119e17209179aae6d54b64dd2d244 (patch) | |
| tree | aac2e883578b78796686728ae3beed5b2a35a9a4 /engine/classes | |
| parent | 7006294fcbfab450289403b6519edb9d5d30ff35 (diff) | |
| parent | 7cacdc8bc26c98a58dc8986acfd911d6542608af (diff) | |
| download | elgg-53509917fd2119e17209179aae6d54b64dd2d244.tar.gz elgg-53509917fd2119e17209179aae6d54b64dd2d244.tar.bz2 | |
Merged in libxml18 (pull request #8)
Disable loading external entities during XML parsing
Diffstat (limited to 'engine/classes')
| -rw-r--r-- | engine/classes/ElggAutoP.php | 14 | ||||
| -rw-r--r-- | engine/classes/ElggXMLElement.php | 8 |
2 files changed, 20 insertions, 2 deletions
diff --git a/engine/classes/ElggAutoP.php b/engine/classes/ElggAutoP.php index 71536c433..05842d1b2 100644 --- a/engine/classes/ElggAutoP.php +++ b/engine/classes/ElggAutoP.php @@ -110,12 +110,19 @@ class ElggAutoP { // http://www.php.net/manual/en/domdocument.loadhtml.php#95463 libxml_use_internal_errors(true); + // Do not load entities. May be unnecessary, better safe than sorry + $disable_load_entities = libxml_disable_entity_loader(true); + if (!$this->_doc->loadHTML("<html><meta http-equiv='content-type' " . "content='text/html; charset={$this->encoding}'><body>{$html}</body>" . "</html>")) { + + libxml_disable_entity_loader($disable_load_entities); return false; } + libxml_disable_entity_loader($disable_load_entities); + $this->_xpath = new DOMXPath($this->_doc); // start processing recursively at the BODY element $nodeList = $this->_xpath->query('//body[1]'); @@ -135,9 +142,16 @@ class ElggAutoP { // re-parse so we can handle new AUTOP elements + // Do not load entities. May be unnecessary, better safe than sorry + $disable_load_entities = libxml_disable_entity_loader(true); + if (!$this->_doc->loadHTML($html)) { + libxml_disable_entity_loader($disable_load_entities); return false; } + + libxml_disable_entity_loader($disable_load_entities); + // must re-create XPath object after DOM load $this->_xpath = new DOMXPath($this->_doc); diff --git a/engine/classes/ElggXMLElement.php b/engine/classes/ElggXMLElement.php index 6f2633e25..cbd3fc5ce 100644 --- a/engine/classes/ElggXMLElement.php +++ b/engine/classes/ElggXMLElement.php @@ -20,7 +20,12 @@ class ElggXMLElement { if ($xml instanceof SimpleXMLElement) { $this->_element = $xml; } else { + // do not load entities + $disable_load_entities = libxml_disable_entity_loader(true); + $this->_element = new SimpleXMLElement($xml); + + libxml_disable_entity_loader($disable_load_entities); } } @@ -123,5 +128,4 @@ class ElggXMLElement { } return false; } - -}
\ No newline at end of file +} |