prevents injection of malicious doc types

Author: schmittjoh

Encoder/XmlEncoder.php

@@ -54,6 +54,7 @@ public function encode($data, $format)
      */
     public function decode($data, $format)
     {
+        $this->assertNoCustomDocType($data);
         $internalErrors = libxml_use_internal_errors(true);
         $disableEntities = libxml_disable_entity_loader(true);
         libxml_clear_errors();
@@ -290,6 +291,17 @@ private function buildXml($parentNode, $data)
         throw new UnexpectedValueException('An unexpected value could not be serialized: '.var_export($data, true));
     }
 
+    private function assertNoCustomDocType($data)
+    {
+        $dom = new \DOMDocument;
+        $dom->loadXML($data);
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new \InvalidArgumentException('Document types are not allowed.');
+            }
+        }
+    }
+
     /**
      * Selects the type of node to create and appends it to the parent.
      *