libxml_disable_entity_loader()
The libxml_disable_entity_loader() function in PHP was used to disable the loading of external entities in XML documents. Note: This function was deprecated in PHP 8.0 and removed in PHP 8.1. Modern applications should use LIBXML_NONET or configure DOMDocument directly.
What is libxml_disable_entity_loader() Function?
The libxml_disable_entity_loader() function was a built-in PHP utility designed to block external entity resolution during XML parsing. It was primarily used to mitigate XML External Entity (XXE) attacks, where attackers inject malicious entity references to read sensitive server files, perform server-side request forgery (SSRF), or cause denial-of-service conditions.
How to Use libxml_disable_entity_loader() Function
The function accepts a single boolean parameter. Passing true disables external entity loading, while false (the default) enables it.
Here is an example of the legacy usage:
Legacy Usage in PHP
<?php
// Disable external entities (Deprecated in PHP 8.0, removed in 8.1)
if (function_exists('libxml_disable_entity_loader')) {
libxml_disable_entity_loader(true);
}
// Load an XML file into a DOMDocument object
$doc = new DOMDocument();
if (!$doc->load('example.xml')) {
die('Failed to load XML file.');
}
?>In this example, we conditionally call the function to disable external entity resolution, then load the XML file with basic error handling.
Since PHP 8.1, the recommended approach is to pass the LIBXML_NONET flag when loading XML:
<?php
$doc = new DOMDocument();
$doc->load('example.xml', LIBXML_NONET);
?>Conclusion
While libxml_disable_entity_loader() was once essential for securing XML parsers against XXE vulnerabilities, it is no longer available in modern PHP versions. Developers should migrate to LIBXML_NONET or explicitly configure DOMDocument options to maintain secure XML processing.
Practice
What is the function of the libxml_disable_entity_loader() method in PHP?