From 1c463d01fc7bc90111abac58bff7d58fe8701a2a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 29 Sep 2014 20:13:28 +0200
Subject: Disable XML entity parsing

---
 articleenhancer/globalarticleenhancer.php | 4 ++++
 articleenhancer/xpatharticleenhancer.php  | 6 ++++++
 2 files changed, 10 insertions(+)

(limited to 'articleenhancer')

diff --git a/articleenhancer/globalarticleenhancer.php b/articleenhancer/globalarticleenhancer.php
index 7411d0adc..f4466f75f 100644
--- a/articleenhancer/globalarticleenhancer.php
+++ b/articleenhancer/globalarticleenhancer.php
@@ -23,13 +23,17 @@ class GlobalArticleEnhancer implements ArticleEnhancer {
 	 * This method is run after all enhancers and for every item
 	 */
 	public function enhance(Item $item) {
+		
 		$dom = new \DOMDocument();
 
 		// wrap it inside a div if there is none to prevent invalid wrapping
 		// inside <p> tags
 		$body = '<div>' . $item->getBody() . '</div>';
 
+		$loadEntities = libxml_disable_entity_loader(true);
 		@$dom->loadHTML($body, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
+		libxml_disable_entity_loader($loadEntities);
+		
 		$xpath = new \DOMXpath($dom);
 
 		// remove youtube autoplay
diff --git a/articleenhancer/xpatharticleenhancer.php b/articleenhancer/xpatharticleenhancer.php
index ad2e65f0b..0550ada46 100644
--- a/articleenhancer/xpatharticleenhancer.php
+++ b/articleenhancer/xpatharticleenhancer.php
@@ -67,7 +67,10 @@ class XPathArticleEnhancer implements ArticleEnhancer {
 				}
 
 				$dom = new \DOMDocument();
+				
+				$loadEntities = libxml_disable_entity_loader(true);
 				@$dom->loadHTML($body);
+				libxml_disable_entity_loader($loadEntities);
 
 				$xpath = new \DOMXpath($dom);
 				$xpathResult = $xpath->evaluate($search);
@@ -131,9 +134,12 @@ class XPathArticleEnhancer implements ArticleEnhancer {
 		$dom->preserveWhiteSpace = false;
 
 		// return, if xml is empty or loading the HTML fails
+		$loadEntities = libxml_disable_entity_loader(true);
 		if( trim($xmlString) == "" || !@$dom->loadHTML($xmlString) ) {
+			libxml_disable_entity_loader($loadEntities);
 			return $xmlString;
 		}
+		libxml_disable_entity_loader($loadEntities);
 
 		// remove <!DOCTYPE
 		$dom->removeChild($dom->firstChild);
-- 
cgit v1.2.3