From d53447f7e6b3277f3249d9a70e56ec01a90c3a60 Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Thu, 11 Jul 2013 13:24:01 -0400
Subject: Disable loading external entities during XML parsing

---
 engine/classes/ElggXMLElement.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'engine/classes/ElggXMLElement.php')

diff --git a/engine/classes/ElggXMLElement.php b/engine/classes/ElggXMLElement.php
index 6f2633e25..cbd3fc5ce 100644
--- a/engine/classes/ElggXMLElement.php
+++ b/engine/classes/ElggXMLElement.php
@@ -20,7 +20,12 @@ class ElggXMLElement {
 		if ($xml instanceof SimpleXMLElement) {
 			$this->_element = $xml;
 		} else {
+			// do not load entities
+			$disable_load_entities = libxml_disable_entity_loader(true);
+
 			$this->_element = new SimpleXMLElement($xml);
+
+			libxml_disable_entity_loader($disable_load_entities);
 		}
 	}
 
@@ -123,5 +128,4 @@ class ElggXMLElement {
 		}
 		return false;
 	}
-
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3