Skip to content

Conversation

nielsdos
Copy link
Member

Based on stale PR GH-1409.
Closes GH-1409.
Closes GH-1408.

…warn about constants which will override the new default behaviour Based on stale PR phpGH-1409. Closes phpGH-1409. Closes phpGH-1408. Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Just markup remarks about linking

<caution>
<simpara>
Enabling loading of DTD attributes will enable fetching of external entities.
The <link linkend="constant.libxml-no-xxe"><constant>LIBXML_NO_XXE</constant></link> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linking is automatic now

Suggested change
The <link linkend="constant.libxml-no-xxe"><constant>LIBXML_NO_XXE</constant></link> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
The <constant>LIBXML_NO_XXE</constant> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
<caution>
<simpara>
Enabling loading of external subsets will enable fetching of external entities.
The <link linkend="constant.libxml-no-xxe"><constant>LIBXML_NO_XXE</constant></link> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

<caution>
<simpara>
Enabling validating the DTD may facilitate XML External Entity (XXE) attacks.
The <link linkend="constant.libxml-no-xxe"><constant>LIBXML_NO_XXE</constant></link> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

<constant>LIBXML_DTDVALID</constant>, or <constant>LIBXML_DTDLOAD</constant>.
Generally, it is preferable to use <function>libxml_set_external_entity_loader</function>
to suppress loading of external entities.
The <link linkend="constant.libxml-no-xxe"><constant>LIBXML_NO_XXE</constant></link> constant can be used to prevent this as well (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

Comment on lines 107 to 109
<member><link linkend="libxml.constants">The <constant>LIBXML_NOENT</constant> constant</link></member>
<member><link linkend="libxml.constants">The <constant>LIBXML_DTDVALID</constant> constant</link></member>
<member><link linkend="libxml.constants">The <constant>LIBXML_NO_XXE</constant> constant</link></member>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does link tags are unnecessary now

Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants