|
|
|
|
|
|
by jjice
1577 days ago
|
|
|
Yeah, I had never heard of XXE until now. Just looked into if PHP's DOMDocument does this by default and it seems like it's based on a configuration setting for the system (very PHP like...), though it looks like you can always run something like libxml_disable_entity_loader or pass in a flag to the load function to not have it do it. This begs the questions: why is this the default? If you know you need it, you can be required to pass a flag to explicitly allow instead of having to disallow. I'm going to hope modern XML libraries handle this the opposite way and chalk this up to PHP being on the older side. |
|
|
I'd be curious to know the history too. Did they really not forsee that external entities are a security hole?