Libxml was changed a while back to not expand xml entities by default (preventing many XXE and DoS vulnerabilities by default). It seems like that either caused, or influenced another change, so that xml_parse in the zend engine doesn't expand entities either.
In our SVG filtering, we assume the xml is expanded while filtering, since Adobe seems to frequently output svg's with entities (so we can't prevent them categorically). There doesn't seem to be any options to force xml_parse to do the expansion.
Tim heard a recommendation to move to XMLReader in general, over xml_parse. We can pretty easily convert XmlTypeCheck to use XMLReader behind the existing interface.
--------------------------
**Patch**: {F104172}
- 1.24: {F106280}
- 1.23: {F106280}
- 1.19: {F106279}
**Affected Versions**: (needed)
**Type**: xss
**CVE**: