simplesamlphp/saml2

PHP 8.0 support and `libxml_disable_entity_loader`

ldebrouwer opened this issue · 2 comments

In PHP 8.0 libxml_disable_entity_loader has been deprecated, and it throws a warning going forward. To support PHP 8.0 on the ^4.2.2 branch, as suggested by the composer.json, the calls to libxml_disable_entity_loader in DOMDocumentFactory::fromString() should be wrapped in version check, like so;

if (\PHP_VERSION_ID < 80000) {
    libxml_disable_entity_loader($entityLoader);
}

For the record, this is safe because PHP8 depends on a version of libxml that has external entities disabled.

It might be a good idea though, given the risk, to add a test for this so we ensure it is in fact disabled.

Closed in 04d0ed6 (v4.2.3). Thanks @ldebrouwer !