Fix for potential XXE/XEE attacks on XML

zendframework · Mar 5, 2014 · 9fe5103 · 9fe5103
1 parent 184be92
commit 9fe5103
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/Json.php b/src/Json.php
@@ -12,6 +12,7 @@
 use SimpleXMLElement;
 use Zend\Json\Exception\RecursionException;
 use Zend\Json\Exception\RuntimeException;
+use Zend\Xml\Security as XmlSecurity;
 
 /**
  * Class for encoding to and decoding from JSON.
@@ -311,10 +312,10 @@ protected static function _processXml($simpleXmlElementObject, $ignoreXmlAttribu
     public static function fromXml($xmlStringContents, $ignoreXmlAttributes = true)
     {
         // Load the XML formatted string into a Simple XML Element object.
-        $simpleXmlElementObject = simplexml_load_string($xmlStringContents);
+        $simpleXmlElementObject = XmlSecurity::scan($xmlStringContents);
 
         // If it is not a valid XML content, throw an exception.
-        if ($simpleXmlElementObject == null) {
+        if (!$simpleXmlElementObject) {
             throw new RuntimeException('Function fromXml was called with an invalid XML formatted string.');
         } // End of if ($simpleXmlElementObject == null)