libxml_disable_entity_loader

(PHP 5 >= 5.2.11, PHP 7, PHP 8)

libxml_disable_entity_loader — Disable the ability to load external entities

Warning

本函数已自 PHP 8.0.0 起被废弃。强烈建议不要依赖本函数。

说明

libxml_disable_entity_loader ( bool $disable = true ) : bool

Disable/enable the ability to load external entities. Note that disabling the loading of external entities may cause general issues with loading XML documents. However, as of libxml 2.9.0 entity substitution is disabled by default, so there is no need to disable the loading of external entities, unless there is the need to resolve internal entity references with LIBXML_NOENT. Generally, it is preferable to use libxml_set_external_entity_loader() to suppress loading of external entities.

参数

disable: Disable (true) or enable (false) libxml extensions (such as DOM, XMLWriter and XMLReader) to load external entities.

返回值

Returns the previous value.

参见

libxml_use_internal_errors() - Disable libxml errors and allow user to fetch error information as needed
libxml_set_external_entity_loader() - Changes the default external entity loader
The LIBXML_NOENT constant

User Contributed Notes

suconghou at gmail dot com 07-Jan-2021 10:27


In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, libxml_disable_entity_loader is deprecated.

so it is now safe to remove all `libxml_disable_entity_loader` calls on php8



if you want Backwards Compatibility



use this snippet



if (\PHP_VERSION_ID < 80000) {

    libxml_disable_entity_loader(true);

}

vavra at 602 dot cz 04-Jan-2018 09:48


If is called 

libxml_disable_entity_loader(true);



, it causes that new SoapClient(.) fails with



SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl



because this wsdl imports a xsd as an another external file.

Tested on php 7.1.12, win x64.

brendan at bloodbone dot ws 25-Mar-2014 10:23


This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.

phofstetter at sensational dot ch 27-Jan-2014 04:36


Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs

daschtour at me dot com 25-Dec-2013 11:56


This function was reported to be not thread safe. So this might affect php-scripts on the same server.

simonsimcity 29-Feb-2012 06:23


Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.



You'll see it in an example where I load and validate the following string:



<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>

<scan>&test;</scan>



One way to prevent that the file in given back is to set this value to 0.

Please take a closer look at the release of symfony 2.0.11