libxml_set_external_entity_loader
(PHP 5 >= 5.4.0, PHP 7, PHP 8)
libxml_set_external_entity_loader — Changes the default external entity loader
Description
Changes the default external entity loader.
This can be used to suppress the expansion of arbitrary external entities to avoid XXE attacks,
even when LIBXML_NOENT
has been set for the respective operation,
and is usually preferable over calling libxml_disable_entity_loader().
Parameters
-
resolver_function
-
A callable with the following signature:
resolver(string$public_id
, string$system_id
, array$context
): resource|string|null-
public_id
- The public ID.
-
system_id
- The system ID.
-
context
-
An array with the four elements
"directory"
,"intSubName"
,"extSubURI"
and"extSubSystem"
.
null
is returned, the entity reference resolution will fail. -
Return Values
Returns true
on success or false
on failure.
Examples
Example #1 libxml_set_external_entity_loader() example
<?php
$xml = <<<XML
<!DOCTYPE foo PUBLIC "-//FOO/BAR" "http://example.com/foobar">
<foo>bar</foo>
XML;
$dtd = <<<DTD
<!ELEMENT foo (#PCDATA)>
DTD;
libxml_set_external_entity_loader(
function ($public, $system, $context) use($dtd) {
var_dump($public);
var_dump($system);
var_dump($context);
$f = fopen("php://temp", "r+");
fwrite($f, $dtd);
rewind($f);
return $f;
}
);
$dd = new DOMDocument;
$r = $dd->loadXML($xml);
var_dump($dd->validate());
?>
The above example will output:
string(10) "-//FOO/BAR" string(25) "http://example.com/foobar" array(4) { ["directory"] => NULL ["intSubName"] => NULL ["extSubURI"] => NULL ["extSubSystem"] => NULL } bool(true)