Current Location: Home> Latest Articles> How to Prevent External Entity Attacks by Combining the libxml_use_internal_errors and libxml_disable_entity_loader Functions

How to Prevent External Entity Attacks by Combining the libxml_use_internal_errors and libxml_disable_entity_loader Functions

gitbox 2025-06-16

XML is widely used in modern web development for data exchange, configuration files, and various other scenarios. However, without proper precautions, the XML parsing process can become a source of vulnerability for external entity attacks (XXE, XML External Entity attacks). XXE attacks allow attackers to inject malicious content via XML files, leading to information leakage, denial of service (DoS) attacks, or the execution of malicious code.

To address this issue, PHP provides several built-in functions to prevent external entity attacks. Among them, libxml_use_internal_errors() and libxml_disable_entity_loader() are two highly effective protective measures. This article will explain in detail how to use these two functions together to prevent external entity attacks.

1. What is an External Entity Attack (XXE)?

External entity attacks (XXE) are executed through external entity declarations in XML files. An XML file can reference external resources, which can be system files, URLs, or other external resources. Attackers can craft a malicious XML file to point to sensitive information or cause the server to execute unsafe operations.

For example, an attacker can construct an XML file as follows:

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

In this case, the XML parser will attempt to read the system's /etc/passwd file and inject its content into the data element. Such attacks can lead to sensitive data leakage.

2. How to Handle XML Errors Using libxml_use_internal_errors()?

When handling XML data, PHP by default throws warnings or errors when parsing fails, which may expose too much error information. Using libxml_use_internal_errors() can suppress these default error outputs and employ an internal error handling mechanism. This ensures that even if the XML data is malformed or contains potential vulnerabilities, the program will not expose detailed error information.

Example Code:

libxml_use_internal_errors(true);
<p>$xmlString = '<root><data>&xxe;</data></root>';<br>
$xml = simplexml_load_string($xmlString);</p>
<p>if ($xml === false) {<br>
echo "An error occurred while loading the XML.\n";<br>
foreach(libxml_get_errors() as $error) {<br>
echo $error->message . "\n";<br>
}<br>
}<br>

In this example, libxml_use_internal_errors(true) ensures that if the XML file has issues, the program will not throw warnings directly. The error information is stored internally and can be accessed through libxml_get_errors().

3. How to Disable External Entity Loading Using libxml_disable_entity_loader()?

libxml_disable_entity_loader() is another key function that allows developers to disable the XML parser’s ability to load external entities, effectively preventing XXE attacks. If external entity loading is disabled, the XML parser will not be able to load remote resources or system files.

Example Code:

libxml_disable_entity_loader(true);
<p>$xmlString = '<?xml version="1.0"?><br>
<!DOCTYPE foo [<br>
<!ENTITY xxe SYSTEM "file:///etc/passwd"><br>
]><br>
<root><br>
<data>&xxe;</data><br>
</root>';</p>
<p>$xml = simplexml_load_string($xmlString);</p>
<p>if ($xml === false) {<br>
echo "XML loading failed, external entities are disabled.\n";<br>
}<br>

In this example, libxml_disable_entity_loader(true) disables the loading of external entities, preventing attackers from loading external resources via XML files. Even if the XML file contains an external entity declaration, the parser will not process it.

4. Combining libxml_use_internal_errors() and libxml_disable_entity_loader() to Prevent XXE Attacks

To effectively prevent external entity attacks, we can combine these two functions, ensuring that XML parsing both suppresses error outputs and disables external entity loading.

Combined Example Code:

libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);
<p>$xmlString = '<?xml version="1.0"?><br>
<!DOCTYPE foo [<br>
<!ENTITY xxe SYSTEM "file:///etc/passwd"><br>
]><br>
<root><br>
<data>&xxe;</data><br>
</root>';</p>
<p>$xml = simplexml_load_string($xmlString);</p>
<p>if ($xml === false) {<br>
echo "XML loading failed.\n";<br>
foreach(libxml_get_errors() as $error) {<br>
echo $error->message . "\n";<br>
}<br>
}<br>

In this example, libxml_use_internal_errors(true) hides error messages during parsing, while libxml_disable_entity_loader(true) ensures that external entities are disabled. Even if the XML file contains external entities, no sensitive information will be leaked or malicious operations executed.

5. Conclusion

External entity attacks (XXE) are a common and dangerous type of vulnerability that can lead to serious security issues if mishandled. To effectively prevent such attacks, PHP provides the libxml_use_internal_errors() and libxml_disable_entity_loader() functions. These functions help developers control XML parsing error outputs and disable external entity loading. By combining these two functions, PHP applications' security can be significantly enhanced, preventing external entity attacks.

Related