Merge pull request #6 from wmde/disableEntityLoader

Temporarily libxml_disable_entity_loader for security

Author: jakobw

src/Component.php

@@ -10,6 +10,7 @@
 use DOMNodeList;
 use DOMText;
 use Exception;
+use LibXMLError;
 
 use WMDE\VueJsTemplating\FilterExpressionParsing\FilterParser;
 use WMDE\VueJsTemplating\JsParsing\BasicJsExpressionParser;
@@ -65,6 +66,7 @@ public function render( array $data ) {
 	 * @return DOMDocument
 	 */
 	private function parseHtml( $template ) {
+		$entityLoaderDisabled = libxml_disable_entity_loader( true );
 		$internalErrors = libxml_use_internal_errors( true );
 		$document = new DOMDocument();
 
@@ -73,9 +75,14 @@ private function parseHtml( $template ) {
 			//TODO Test failure
 		}
 
+		/** @var LibXMLError[] $errors */
 		$errors = libxml_get_errors();
 		libxml_clear_errors();
+
+		// Restore previous state
 		libxml_use_internal_errors( $internalErrors );
+		libxml_disable_entity_loader( $entityLoaderDisabled );
+
 		foreach ( $errors as $error ) {
 			//TODO html5 tags can fail parsing
 			//TODO Throw an exception
@@ -243,8 +250,7 @@ private function handleFor( DOMNode $node, array $data ) {
 	}
 
 	private function appendHTML( DOMNode $parent, $source ) {
-		$tmpDoc = new DOMDocument();
-		$tmpDoc->loadHTML( $source );
+		$tmpDoc = $this->parseHtml( $source );
 		foreach ( $tmpDoc->getElementsByTagName( 'body' )->item( 0 )->childNodes as $node ) {
 			$node = $parent->ownerDocument->importNode( $node, true );
 			$parent->appendChild( $node );