| commit | author | age | ||
| 2207d6 | 1 | # PHPExcel User Documentation – Reading Spreadsheet Files |
| W | 2 | |
| 3 | ||
| 4 | ## Security | |
| 5 | ||
| 6 | XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to: | |
| 7 | ||
| 8 | - Disclosure whether a file is existent | |
| 9 | - Server Side Request Forgery | |
| 10 | - Command Execution (depending on the installed PHP wrappers) | |
| 11 | ||
| 12 | ||
| 13 | To prevent this, PHPExcel sets `libxml_disable_entity_loader` to `true` for the XML-based Readers by default. | |
