All, I wanted to float an idea by you for PHP 7 (or 7.1 depending on the RM's feedback).
Currently, PHP by default is vulnerable to XXE attacks: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing To bypass this, you need to turn off external entity loading: libxml_disable_entity_loader(true); What I'm proposing is to disable entity loading by default. That way it requires developers to opt-in to actually load external entities. Thoughts? Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
