Fix XXE vulnerability

GHSA-q386-w6fg-gmgp

src/Toolkit/Xml.php

@@ -271,7 +271,7 @@ public static function entities(): array
 	 */
 	public static function parse(string $xml): array|null
 	{
-		$xml = @simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
+		$xml = @simplexml_load_string($xml);
 
 		if (is_object($xml) !== true) {
 			return null;

tests/Toolkit/XmlTest.php

@@ -139,6 +139,43 @@ public function testParseSimplifyCreate()
 		$this->assertNull(Xml::parse('<this>is invalid</that>'));
 	}
 
+	/**
+	 * @covers ::parse
+	 */
+	public function testParseEntities()
+	{
+		$xml   = '<!DOCTYPE d [<!ENTITY e "bar">]><x>this is a file: foo &e; (with entities)</x>';
+		$array = Xml::parse($xml);
+
+		$this->assertSame([
+			'@name' => 'x',
+			'@value' => 'this is a file: foo bar (with entities)'
+		], $array);
+	}
+
+	/**
+	 * @covers ::parse
+	 */
+	public function testParseRecursiveEntities()
+	{
+		$xml = file_get_contents(__DIR__ . '/fixtures/xml/billion-laughs.xml');
+		$this->assertNull(Xml::parse($xml));
+	}
+
+	/**
+	 * @covers ::parse
+	 */
+	public function testParseXXE()
+	{
+		$xml   = '<!DOCTYPE d [<!ENTITY e SYSTEM "' . __FILE__ . '">]><x>this is a file: &e; with an XXE vulnerability</x>';
+		$array = Xml::parse($xml);
+
+		$this->assertSame([
+			'@name' => 'x',
+			'@value' => 'this is a file:  with an XXE vulnerability'
+		], $array);
+	}
+
 	/**
 	 * @covers ::encode
 	 * @covers ::decode

tests/Toolkit/fixtures/xml/billion-laughs.xml

@@ -0,0 +1,9 @@
+<!DOCTYPE xml [
+  <!ENTITY lol "lol">
+  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;">
+  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+]>
+<xml>
+  <p>&lol4;</p>
+</xml>