(PHP 5 >= 5.2.11, PHP 7, PHP 8)
libxml_disable_entity_loader — Disable the ability to load external entities
本函数已自 PHP 8.0.0 起被废弃。强烈建议不要依赖本函数。
Disable/enable the ability to load external entities.
Note that disabling the loading of external entities may cause general issues
with loading XML documents. However, as of libxml 2.9.0 entity substitution
is disabled by default, so there is no need to disable the loading of external
entities,
unless there is the need to resolve internal entity references with LIBXML_NOENT.
Generally, it is preferable to use libxml_set_external_entity_loader()
to suppress loading of external entities.
Returns the previous value.
LIBXML_NOENT constantIn PHP 8.0 and later, PHP uses libxml versions from 2.9.0, libxml_disable_entity_loader is deprecated.
so it is now safe to remove all `libxml_disable_entity_loader` calls on php8
if you want Backwards Compatibility
use this snippet
if (\PHP_VERSION_ID < 80000) {
libxml_disable_entity_loader(true);
}If is called
libxml_disable_entity_loader(true);
, it causes that new SoapClient(.) fails with
SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl
because this wsdl imports a xsd as an another external file.
Tested on php 7.1.12, win x64.There is an extra \ should be deleted before PHP_VERSION_ID in the code which suconghou posted 2 years ago.
if (PHP_VERSION_ID < 80000) {
libxml_disable_entity_loader(true);
}Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLsUsing this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.
You'll see it in an example where I load and validate the following string:
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.