©
本文档使用 PHP中文网手册 发布
(PHP 5 >= 5.2.11)
libxml_disable_entity_loader — Disable the ability to load external entities
$disable
= true
] )Disable/enable the ability to load external entities.
disable
Disable ( TRUE
) or enable ( FALSE
) libxml extensions (such as
DOM, XMLWriter
and XMLReader) to load external entities.
Returns the previous value.
LIBXML_NONET
constant [#1] brendan at bloodbone dot ws [2014-03-25 10:23:12]
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
[#2] phofstetter at sensational dot ch [2014-01-27 16:36:51]
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
[#3] daschtour at me dot com [2013-12-25 11:56:59]
This function was reported to be not thread safe. So this might affect php-scripts on the same server.
[#4] simonsimcity [2012-02-29 18:23:52]
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.
You'll see it in an example where I load and validate the following string:
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11