Harden PHP XML parsing against external entities | Critiq Docs

#Metadata

Rule ID: php.security.xml-external-entity
Severity: high
Confidence: 0.9
Languages: php
Presets: security, strict
Stability: stable
Applies to: block
Tags: php, rules-catalog, security, xml, xxe

#Why it matters

Unsafe XML parser configuration enables XXE attacks that can leak files and reach internal services.

#Remediation

Call libxml_disable_entity_loader(true) before parsing and pass LIBXML_NONET; never enable LIBXML_NOENT.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.xml-external-entity.rule.yaml.

Back to directory Open rule in repository