PHP libxml_set_external_entity_loader() Function

The PHP libxml_set_external_entity_loader() function changes the default external entity loader. This can be used to suppress the expansion of arbitrary external entities to avoid XXE attacks, even when LIBXML_NOENT has been set for the respective operation, and is usually preferable over calling libxml_disable_entity_loader().

Syntax

libxml_set_external_entity_loader(resolver_function)

Parameters

resolver_function

Required. Specify a function with following signature:

resolver(public_id, system_id, context)

public_id: The public ID.
system_id: The system ID.
context: An array with the four elements "directory", "intSubName", "extSubURI" and "extSubSystem".

This callable should return a resource, a string from which a resource can be opened. If null is returned, the entity reference resolution will fail.

Return Value

Returns true on success or false on failure.

Example: libxml_set_external_entity_loader() example

The example below shows the usage of libxml_set_external_entity_loader() function.

<?php
$xml = <<<XML
<!DOCTYPE foo PUBLIC "-//FOO/BAR" "http://example.com/foobar">
<foo>bar</foo>
XML;

$dtd = <<<DTD
<!ELEMENT foo (#PCDATA)>
DTD;

libxml_set_external_entity_loader(
  function ($public, $system, $context) use($dtd) {
    var_dump($public);
    var_dump($system);
    var_dump($context);
    $f = fopen("php://temp", "r+");
    fwrite($f, $dtd);
    rewind($f);
    return $f;
  }
);

$dd = new DOMDocument;
$r  = $dd->loadXML($xml);

var_dump($dd->validate());
?>

The output of the above code will be:

string(10) "-//FOO/BAR"
string(25) "http://example.com/foobar"
array(4) {
    ["directory"]    => NULL
    ["intSubName"]   => NULL
    ["extSubURI"]    => NULL
    ["extSubSystem"] => NULL
}
bool(true)

❮ PHP Libxml Reference