alex
/
PhpSpreadsheet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update security section in Reader documentation

This commit is contained in:
Mark Baker 2014-02-21 10:21:04 +00:00
parent 1abf061df3
commit 16c1a19d34
2 changed files with 1 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Documentation/PHPExcel User Documentation - Reading Spreadsheet Files.doc
View File

Binary file not shown.

13
Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md
View File

@ -10,15 +10,4 @@ XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are
- Command Execution (depending on the installed PHP wrappers)
To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.
Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
```
PHPExcel_Settings::setLibXmlLoaderOptions();
```
Allowing you to specify the XML loader settings that those that you want to use instead.
> While PHPExcel protects you with its default settings, if you do change these settings yourself, then you're responsible for ensuring that your XML-based formats aren't open to XXE injection.
To prevent this, PHPExcel sets `libxml_disable_entity_loader` to `true` for the XML-based Readers by default.