Merge branch 'security/zf2014-01'

Resolves ZF2014-01 - XXE/XEE vulnerabilities
zendframework · Mar 6, 2014 · 89fc6f7 · 89fc6f7
2 parents 184be92 + acc60fc
commit 89fc6f7
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/Json.php b/src/Json.php
@@ -12,6 +12,7 @@
 use SimpleXMLElement;
 use Zend\Json\Exception\RecursionException;
 use Zend\Json\Exception\RuntimeException;
+use ZendXml\Security as XmlSecurity;
 
 /**
  * Class for encoding to and decoding from JSON.
@@ -311,10 +312,10 @@ protected static function _processXml($simpleXmlElementObject, $ignoreXmlAttribu
     public static function fromXml($xmlStringContents, $ignoreXmlAttributes = true)
     {
         // Load the XML formatted string into a Simple XML Element object.
-        $simpleXmlElementObject = simplexml_load_string($xmlStringContents);
+        $simpleXmlElementObject = XmlSecurity::scan($xmlStringContents);
 
         // If it is not a valid XML content, throw an exception.
-        if ($simpleXmlElementObject == null) {
+        if (!$simpleXmlElementObject) {
             throw new RuntimeException('Function fromXml was called with an invalid XML formatted string.');
         } // End of if ($simpleXmlElementObject == null)