src/PhpSpreadsheet/Reader/HTML.php 1 location
|
@@ 556-564 (lines=9) @@
|
| 553 |
|
* @param string $xml |
| 554 |
|
* @throws Exception |
| 555 |
|
*/ |
| 556 |
|
public function securityScan($xml) |
| 557 |
|
{ |
| 558 |
|
$pattern = '/\\0?' . implode('\\0?', str_split('<!ENTITY')) . '\\0?/'; |
| 559 |
|
if (preg_match($pattern, $xml)) { |
| 560 |
|
throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); |
| 561 |
|
} |
| 562 |
|
|
| 563 |
|
return $xml; |
| 564 |
|
} |
| 565 |
|
} |
| 566 |
|
|
src/PhpSpreadsheet/Reader/BaseReader.php 1 location
|
@@ 251-259 (lines=9) @@
|
| 248 |
|
* @param string $xml |
| 249 |
|
* @throws Exception |
| 250 |
|
*/ |
| 251 |
|
public function securityScan($xml) |
| 252 |
|
{ |
| 253 |
|
$pattern = '/\\0?' . implode('\\0?', str_split('<!DOCTYPE')) . '\\0?/'; |
| 254 |
|
if (preg_match($pattern, $xml)) { |
| 255 |
|
throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); |
| 256 |
|
} |
| 257 |
|
|
| 258 |
|
return $xml; |
| 259 |
|
} |
| 260 |
|
|
| 261 |
|
/** |
| 262 |
|
* Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks |
PHPOffice /
PhpSpreadsheet
