]>
&systemEntity;
*/
function HandleXmlError($errno, $errstr, $errfile, $errline){
if ($errno==E_WARNING && (substr_count($errstr,"DOMDocument::loadXML()")>0)){
throw new DOMException($errstr);
}else{
return false;
}//end if
}// end function HandleXmlError
try {
switch ($_SESSION["security-level"]){
case "0": // This code is insecure
$lEnableHTMLControls = FALSE;
//$lFormMethod = "GET";
$lEnableJavaScriptValidation = FALSE;
$lEnableXMLValidation = FALSE;
$lEnableXMLEncoding = FALSE;
$lProtectAgainstMethodTampering = FALSE;
libxml_disable_entity_loader(FALSE);
break;
case "1": // This code is insecure
$lEnableHTMLControls = TRUE;
//$lFormMethod = "GET";
$lEnableJavaScriptValidation = TRUE;
$lEnableXMLValidation = FALSE;
$lEnableXMLEncoding = FALSE;
$lProtectAgainstMethodTampering = FALSE;
libxml_disable_entity_loader(FALSE);
break;
case "2":
case "3":
case "4":
case "5": // This code is fairly secure
$lEnableHTMLControls = TRUE;
//$lFormMethod = "POST";
$lEnableJavaScriptValidation = TRUE;
$lEnableXMLValidation = TRUE;
$lEnableXMLEncoding = TRUE;
$lProtectAgainstMethodTampering = TRUE;
libxml_disable_entity_loader(TRUE);
break;
}//end switch
if ($lEnableHTMLControls) {
$lHTMLControlAttributes='required="required"';
}else{
$lHTMLControlAttributes="";
}// end if
$lFormSubmitted = FALSE;
if (isset($_POST["xml-validator-php-submit-button"]) || isset($_REQUEST["xml-validator-php-submit-button"])) {
$lFormSubmitted = TRUE;
}// end if
if ($lFormSubmitted){
if ($lProtectAgainstMethodTampering) {
$lXMLValidatorSubmitButton = $_POST["xml-validator-php-submit-button"];
$lXML = $_POST["xml"];
}else{
$lXMLValidatorSubmitButton = $_REQUEST["xml-validator-php-submit-button"];
$lXML = $_REQUEST["xml"];
}// end if $lProtectAgainstMethodTampering
try {
if ($lEnableXMLEncoding){
$lXMLToLog = $Encoder->encodeForXML($lXML);
}else{
$lXMLToLog = $lXML;
};
$LogHandler->writeToLog("Recieved request to validate XML for: " . $lXMLToLog);
} catch (Exception $e) {
//do nothing
}// end try
}// end if $lFormSubmitted
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $lQueryString);
}// end try;
?>
getHint("ReflectedXSSExecutionPoint");
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
}// end try
?>
XML Validator
0){
try{
if(!($lEnableXMLValidation && (preg_match(XML_EXTERNAL_ENTITY_REGEX_PATTERNS, $lXML) || !preg_match(VALID_XML_CHARACTERS, $lXML)))){
echo "";
echo "XML Submitted ";
echo "" . $Encoder->encodeForXML($lXML) . "
";
echo " ";
echo "
";
try {
set_error_handler('HandleXmlError');
$lDOMDocument = new DOMDocument();
$lDOMDocument->resolveExternals = true;
$lDOMDocument->substituteEntities = true;
$lDOMDocument->preserveWhiteSpace=true;
$lDOMDocument->loadXML($lXML);
echo "";
echo "Text Content Parsed From XML ";
echo "" . $lDOMDocument->textContent . "
";
echo " ";
echo "
";
restore_error_handler();
} catch(Exception $e) {
echo $CustomErrorHandler->FormatError($e, "Could not parse XML because the input is mal-formed or could not be interpreted.");
}//end try
}else{
echo "
";
echo "
Possible XML external entity injection attack detected.
";
}//end if
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $lQueryString);
}// end try;
}// end if (isset($_POST))
?>