disable xml entities parsing and update changelog

troosan · troosan · commit f8598d6aa25b · 2018-07-12T21:51:22.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -48,4 +48,14 @@
 
 ### Features
 - Added `\PhpOffice\Common\File::fileGetContents()` (with support of zip://)
-- Added Support for PHP 7.1
+- Added Support for PHP 7.1
+
+## 0.2.8
+
+### Features
+- Added possibility to register namespaces to DOMXpath
+- Added Utility to get an Office compatible hash of a password
+- Write attribute's value of type float independently of locale
+
+## 0.2.9
+- Fix XML Entity injection vulnerability
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.2.7
+0.2.9
diff --git a/src/Common/XMLReader.php b/src/Common/XMLReader.php
@@ -71,6 +71,7 @@ public function getDomFromZip($zipFile, $xmlFile)
      */
     public function getDomFromString($content)
     {
+        libxml_disable_entity_loader(true);
         $this->dom = new \DOMDocument();
         $this->dom->loadXML($content);
 

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ public function getDomFromZip($zipFile, $xmlFile)`
`71`	`71`	`*/`
`72`	`72`	`public function getDomFromString($content)`
`73`	`73`	`{`
	`74`	`+ libxml_disable_entity_loader(true);`
`74`	`75`	`$this->dom = new \DOMDocument();`
`75`	`76`	`$this->dom->loadXML($content);`
`76`	`77`