Avoid libxml2's xmlNodeSetContent

[nwellnhof]

Description

xmlNodeSetContent decodes character and entity references which is typically not what users expect. This can be worked around by first calling xmlNodeSetContent with a NULL pointer to clear the node and then using xmlNodeAddContent which adds the string verbatim.

Here's an example:

<?php
$doc = new DOMDocument();
$doc->loadXML("<!DOCTYPE doc [ <!ENTITY e 'ent'> ]><doc/>");
$root = $doc->documentElement;
$root->nodeValue = "&lt; &e; &gt;";
echo($root->nodeValue); # prints "< ent >"

PHP Version

All versions

Operating System

No response

[nielsdos]

Yeah, we are aware of this (https://wiki.php.net/rfc/opt_in_dom_spec_compliance for the whole story).
In short: we couldn't fix these problems because people actively rely on these bugs.
In the end we introduced a new set of classes that don't have these issues.
There are "old" classes in the global namespace that start with DOM; and there are "new" classes in the "Dom" namespace.
The "old" ones, like DOMDocument etc, all keep their existing behaviour. The "new" classes follow the WHATWG dom spec propery.

[nwellnhof]

Okay, but xmlNodeSetContent is also used in other places. This here seems wrong:

php-src/ext/dom/text.c

Line 132 in 999d29d

xmlNodeSetContent(node, first);

[nielsdos]

That's the code for a text node, so that won't substitute entities. So that should be fine.

However, I'll re-open this issue so I can double check all uses.

[nielsdos]

Note though that the combination of xmlNodeSetContent+xmlNodeAddContent only works in all cases as of GNOME/libxml2@9aaa52f
Demo: https://gist.github.com/nielsdos/d0d46910950342c751ceab2b34104517
So for lower libxml branches, I'll need to handle this specially.

[nielsdos]

I checked DOM, all uses are okay there as it's either intentional or it's on text/cdata/pi/... which is safe anyway.
Soap needs changes, and SimpleXML has one usage that uses entity encoding. The SimpleXML case can probably be done more efficiently but we have to cater to attributes too.