- simplexml_load_string: documentation ( source)
- libxml_disable_entity_loader: documentation ( source)
<?php
$buffer = <<<XML
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "data://text/plain,test" >]><foo>&xxe;</foo>
XML;
libxml_disable_entity_loader(false);
$xml = simplexml_load_string($buffer, 'SimpleXMLElement', LIBXML_NOENT);
$xml->asXML('php://output');