nyx/tests/fixtures/xxe/php/unsafe_xxe.php

mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
<?php
// Unsafe: $_GET['xml'] flows into simplexml_load_string with the LIBXML_NOENT
// flag, enabling external-entity expansion (XXE).
$xml = $_GET['xml'];
$doc = simplexml_load_string($xml, "SimpleXMLElement", LIBXML_NOENT);
echo $doc->title;
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`<?php`
			`// Unsafe: $_GET['xml'] flows into simplexml_load_string with the LIBXML_NOENT`
			`// flag, enabling external-entity expansion (XXE).`
			`$xml = $_GET['xml'];`
			`$doc = simplexml_load_string($xml, "SimpleXMLElement", LIBXML_NOENT);`
			`echo $doc->title;`