|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80357 Unable to re-enable entity loader without triggering a deprecation
Submitted: 2020-11-12 20:02 UTC Modified: 2021-01-19 12:27 UTC
From: jeremy at derusse dot com Assigned:
Status: Open Package: *XML functions
PHP Version: 8.0.0RC4 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
37 + 10 = ?
Subscribe to this entry?

 [2020-11-12 20:02 UTC] jeremy at derusse dot com
calling libxml_disable_entity_loader has been deprecated in PHP >= 8.0 (

But if a 3rd party library disable the entity loader, we have no way to re-enable it (or even to know if we have to re-enable it) without triggering a deprecation.

Suggested change:
- do not trigger deprecation when calling the method with `false` 
- add a new method `libxml_entity_loader_disabled()` that returns true/false when the entity loader is disabled


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 20:41 UTC]
-Status: Open +Status: Feedback
 [2020-11-12 20:41 UTC]
As far as I can tell, the whole point of the change was to deprecate the entire function and force callers who want entity loading to do so at the time of loading (using LIBXML_NOENT). Eventually it will be removed entirely, which would make a "libxml_entity_loader_disabled" function pointless.

IMO this is one of those times when you should use @ to suppress the warning. I mean, if there is code that disables the loader then it will be triggering the deprecation warning too, right?
 [2020-11-13 07:55 UTC] jeremy at derusse dot com
Thank you for the suggestion, but silencing the deprecation with an `@` doesn't work: frameworks like Symfony, use error_handler to collect and logs deprecations. At the end the deprecation is not that silent.

And I would like avoiding juggling with temporary error handlers to "just" silent a deprecation.

What's about `libxml_entity_loader_disabled(A_FALSE_CONSTANT)` that re-enable the entity loader but without triggering the deprecation?
 [2020-11-13 10:30 UTC]
-Status: Feedback +Status: Open
 [2020-11-13 10:30 UTC]
In hindsight, it might have been best to remove this functionality
altogether, i.e. make libxml_disable_entity_loader() a NOP, but
it's probably too late to do that now.  Not issuing E_DEPRECATED
if the function is called with FALSE, appears to be not
 [2020-11-19 22:31 UTC] jeremy at derusse dot com
Do you know if Not triggering E_DEPRECATED when the function is called with FALSE, appears is doable?
 [2020-12-09 09:13 UTC] marek dot janata at seznam dot cz
Not using deprecated libxml_disable_entity_loader leads to XXE vulnerability.
My settings: Apache 2.4, Windows, PHP 8.0.0, libxml 2.9.10

Consider the following code:

// ---------------
$file = 'C:/secret/file.txt';
$xml = '<' . '?xml version="1.0" encoding="utf-8"?' .'>'
    .'<!DOCTYPE tag [<!ENTITY foo PUBLIC "bar" "'.$file.'" >]>'

$prev = libxml_disable_entity_loader(TRUE);

$doc = new DOMDocument();
$doc->preserveWhiteSpace = FALSE;
$loadRes = $doc->loadXML($xml, LIBXML_NOENT);


print $doc->saveXml();
// ---------------

With libxml_disable_entity_loader, we get E_DEPRECATED, but the contents of local file is not loaded.

Without libxml_disable_entity_loader, the code displays contents of local file.

In our application, we want to allow local entities in XML document, so we have to call loadXml with LIBXML_NOENT flag.
 [2020-12-09 10:12 UTC] jeremy at derusse dot com
Please open a new issue if you have a bug with libxml that does not disable the entity loader by default.

This is not related to this bug: not triggering a deprecation on PHP8

note: on linux: PHP 8.0, libxml2 Version => 2.9.9
The provided code works with `libxml_disable_entity_loader(true)` and without `libxml_disable_entity_loader` (beware removing the call to `libxml_disable_entity_loader` has not the same effect than calling `libxml_disable_entity_loader(false)`)
 [2021-01-19 12:27 UTC]
After further consideration, it seems to me that calling
libxml_disable_entity_loader(true) is generally a bad idea as of
PHP 5.4.0 which introduced libxml_set_external_entity_loader().
That latter function as is doesn't resolve the mentioned library
interoperability issues, though.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 18 21:03:39 2021 UTC