pattern = $pattern; $this->libxmlDisableEntityLoader = $this->identifyLibxmlDisableEntityLoaderAvailability(); } public static function getInstance(Reader\IReader $reader) { switch (true) { case $reader instanceof Reader\Html: return new self('= 1; case 1: return PHP_RELEASE_VERSION >= 13; case 0: return PHP_RELEASE_VERSION >= 27; } return true; } return false; } public function setAdditionalCallback(callable $callback) { $this->callback = $callback; } /** * Scan the XML for use of libxmlDisableEntityLoader) { $previousLibxmlDisableEntityLoaderValue = libxml_disable_entity_loader(true); } $pattern = '/encoding="(.*?)"/'; $result = preg_match($pattern, $xml, $matches); $charset = $result ? $matches[1] : 'UTF-8'; if ($charset !== 'UTF-8') { $xml = mb_convert_encoding($xml, 'UTF-8', $charset); } // Don't rely purely on libxml_disable_entity_loader() $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/'; try { if (preg_match($pattern, $xml)) { throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); } if ($this->callback !== null && is_callable($this->callback)) { $xml = call_user_func($this->callback, $xml); } } finally { if (isset($previousLibxmlDisableEntityLoaderValue)) { libxml_disable_entity_loader($previousLibxmlDisableEntityLoaderValue); } } return $xml; } /** * Scan theXML for use of scan(file_get_contents($filestream)); } }