| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
XMLParser would expand entities by default, which could make us
susceptible both to XXE attacks, and the billion laughs attack.
By default XMLReader does _not_ expand entities, so it's a safer choice.
This also changes the XmlRpcMethod::parse() function to throw a runtime
exception if the XML payload could not be parsed, and to return null if
the payload does not contain a valid <methodName> element.
In cases where we're unable to parse the payload as a valid XML-RPC
request, we fall back to saving the full request info as before.
|
