Security Class Reference

Public Member Functions
	scan ($xmlContent)

Detailed Description

Class Security

Definition at line 13 of file Security.php.

Member Function Documentation

scan()

scan

(

$xmlContent

)

Security check loaded XML document

Parameters

string

$xmlContent

Returns

bool

@SuppressWarnings(PHPMD.UnusedLocalVariable)

If running with PHP-FPM we perform an heuristic scan We cannot use libxml_disable_entity_loader because of this bug

See also

https://bugs.php.net/bug.php?id=64938

Load XML with network access disabled (LIBXML_NONET) error disabled with @ for PHP-FPM scenario

Definition at line 44 of file Security.php.

    {
        if ($this->isPhpFpm()) {
            return $this->heuristicScan($xmlContent);
        }

        $document = new DOMDocument();

        $loadEntities = libxml_disable_entity_loader(true);
        $useInternalXmlErrors = libxml_use_internal_errors(true);

        set_error_handler(
            function ($errno, $errstr) {
                if (substr_count($errstr, 'DOMDocument::loadXML()') > 0) {
                    return true;
                }
                return false;
            },
            E_WARNING
        );

        $result = (bool)$document->loadXML($xmlContent, LIBXML_NONET);
        restore_error_handler();
        // Entity load to previous setting
        libxml_disable_entity_loader($loadEntities);
        libxml_use_internal_errors($useInternalXmlErrors);

        if (!$result) {
            return false;
        }

        foreach ($document->childNodes as $child) {
            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
                if ($child->entities->length > 0) {
                    return false;
                }
            }
        }

        return true;
    }

---

The documentation for this class was generated from the following file:

• vendor/magento/framework/Xml/Security.php