Blank CDATA in PHP SimpleXMLElement
I wanted to load the default filter file of the PHP-IDS project into a PHP variable, and was trying to do it like so:
$filter_file = file_get_contents("./default_filter.xml");
$rules = new SimpleXMLElement($filter_file);
This is what the XML file looked like:
<filters>
<filter>
<id>1</id>
<rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
<description>finds html breaking injections
including whitespace attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
...
Problem is, the CDATA wasn’t appearing in the resulting data structure:
object(SimpleXMLElement)#3 (1) {
["filter"]=>
array(68) {
[0]=>
object(SimpleXMLElement)#4 (5) {
["id"]=>
string(1) "1"
["rule"]=>
object(SimpleXMLElement)#72 (0) {
}
["description"]=>
string(59) "finds html breaking injections including whitespace attacks"
["tags"]=>
object(SimpleXMLElement)#73 (1) {
["tag"]=>
array(2) {
[0]=>
string(3) "xss"
[1]=>
string(4) "csrf"
}
}
["impact"]=>
string(1) "4"
}
Notice how the “rule” variable in the object is blank. A quick Google search revealed that the solution was the load the XML in the following way:
simplexml_load_file("./default_filter.xml", 'SimpleXMLElement', LIBXML_NOCDATA);
Now the CDATA regex text appears in the object:
object(SimpleXMLElement)#3 (1) {
["filter"]=>
array(68) {
[0]=>
object(SimpleXMLElement)#4 (5) {
["id"]=>
string(1) "1"
["rule"]=>
string(41) "(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")"
["description"]=>
string(59) "finds html breaking injections including whitespace attacks"
["tags"]=>
object(SimpleXMLElement)#72 (1) {
["tag"]=>
array(2) {
[0]=>
string(3) "xss"
[1]=>
string(4) "csrf"
}
}
["impact"]=>
string(1) "4"
}
[via Tech Thought]
