Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Fix for potential XXE/XEE attacks on XML
Browse files Browse the repository at this point in the history
  • Loading branch information
ezimuel authored and weierophinney committed Mar 5, 2014
1 parent d416b07 commit 865f96e
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/Json.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
use SimpleXMLElement;
use Zend\Json\Exception\RecursionException;
use Zend\Json\Exception\RuntimeException;
use Zend\Xml\Security as XmlSecurity;

/**
* Class for encoding to and decoding from JSON.
Expand Down Expand Up @@ -311,10 +312,10 @@ protected static function _processXml($simpleXmlElementObject, $ignoreXmlAttribu
public static function fromXml($xmlStringContents, $ignoreXmlAttributes = true)
{
// Load the XML formatted string into a Simple XML Element object.
$simpleXmlElementObject = simplexml_load_string($xmlStringContents);
$simpleXmlElementObject = XmlSecurity::scan($xmlStringContents);

// If it is not a valid XML content, throw an exception.
if ($simpleXmlElementObject == null) {
if (!$simpleXmlElementObject) {
throw new RuntimeException('Function fromXml was called with an invalid XML formatted string.');
} // End of if ($simpleXmlElementObject == null)

Expand Down

0 comments on commit 865f96e

Please sign in to comment.