Updated documentation for XXE injection in readers

Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md

@@ -0,0 +1,22 @@
+# PHPExcel User Documentation – Reading Spreadsheet Files
+
+
+## Security
+
+XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:
+
+ - Disclosure whether a file is existent
+ - Server Side Request Forgery
+ - Command Execution (depending on the installed PHP wrappers)
+ 
+
+To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default. 
+
+
+Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
+
+```
+PHPExcel_Settings::setLibXmlLoaderOptions();
+```
+
+Allowing you to specify the XML loader settings that you want to use instead.

changelog.txt

@@ -62,6 +62,8 @@ Fixed in develop branch for release v1.8.0:
 - General:  (adamriyadi)      Work Item GH-247  - Modify PHPExcel_Reader_Excel2007 to use zipClass from PHPExcel_Settings::getZipClass()
                                                   This allows the use of PCLZip when reading for people that don't have access to ZipArchive
 - General:  (infojunkie)      Work Item GH-276  - Convert properties to string in OOCalc reader
+- Security: (maartenba)       Work Item GH-322  - Disable libxml external entity loading by default.
+                                                  This is to prevent XML External Entity Processing (XXE) injection attacks (see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html for an explanation of XXE injection).
 
 
 Fixed in develop branch for release v1.7.9: