From fda32f8c431117360516e2b0e2f1a4f0527e9085 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Wed, 2 Mar 2016 15:53:47 +0100 Subject: [PATCH] [DomCrawler] Dont use LIBXML_PARSEHUGE by default --- src/Symfony/Component/DomCrawler/Crawler.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/DomCrawler/Crawler.php b/src/Symfony/Component/DomCrawler/Crawler.php index a51463dd0fd84..79615185dd525 100644 --- a/src/Symfony/Component/DomCrawler/Crawler.php +++ b/src/Symfony/Component/DomCrawler/Crawler.php @@ -219,8 +219,11 @@ function ($m) { * * @param string $content The XML content * @param string $charset The charset + * @param int $options Bitwise OR of the libxml option constants + * LIBXML_PARSEHUGE is dangerous, see + * http://symfony.com/blog/security-release-symfony-2-0-17-released */ - public function addXmlContent($content, $charset = 'UTF-8') + public function addXmlContent($content, $charset = 'UTF-8', $options = LIBXML_NONET) { $internalErrors = libxml_use_internal_errors(true); $disableEntities = libxml_disable_entity_loader(true); @@ -230,7 +233,7 @@ public function addXmlContent($content, $charset = 'UTF-8') if ('' !== trim($content)) { // remove the default namespace to make XPath expressions simpler - @$dom->loadXML(str_replace('xmlns', 'ns', $content), LIBXML_NONET | (defined('LIBXML_PARSEHUGE') ? LIBXML_PARSEHUGE : 0)); + @$dom->loadXML(str_replace('xmlns', 'ns', $content), $options); } libxml_use_internal_errors($internalErrors);