dom: Switch to new safe option setting API

This API does not suffer from the global issue and does therefore not require a sanitization fixup. The API for XML is available starting from libxml 2.13, the one for HTML since 2.14.
2026-03-24 00:02:20 +01:00 · 2025-10-10 00:20:55 +02:00
parent 571f119f1d
commit 106079a462
2 changed files with 14 additions and 0 deletions
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1448,8 +1448,12 @@ xmlDocPtr dom_document_parser(zval *id, dom_load_mode mode, const char *source,
 		options |= XML_PARSE_RECOVER;
 	}

+#if LIBXML_VERSION >= 21300
+	xmlCtxtSetOptions(ctxt, options);
+#else
 	php_libxml_sanitize_parse_ctxt_options(ctxt);
 	xmlCtxtUseOptions(ctxt, options);
+#endif

 	if (recover) {
 		old_error_reporting = EG(error_reporting);
@@ -2086,10 +2090,16 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
 		ctxt->sax->error = php_libxml_ctx_error;
 		ctxt->sax->warning = php_libxml_ctx_warning;
 	}
+#if LIBXML_VERSION >= 21400
+	if (options) {
+		htmlCtxtSetOptions(ctxt, (int)options);
+	}
+#else
 	php_libxml_sanitize_parse_ctxt_options(ctxt);
 	if (options) {
 		htmlCtxtUseOptions(ctxt, (int)options);
 	}
+#endif
 	htmlParseDocument(ctxt);
 	xmlDocPtr newdoc = ctxt->myDoc;
 	htmlFreeParserCtxt(ctxt);
--- a/ext/dom/inner_outer_html_mixin.c
+++ b/ext/dom/inner_outer_html_mixin.c
@@ -291,8 +291,12 @@ static xmlNodePtr dom_xml_fragment_parsing_algorithm(dom_object *obj, const xmlN
 	}
 	parser->dict = context_node->doc->dict;

+#if LIBXML_VERSION >= 21300
+	xmlCtxtSetOptions(parser, XML_PARSE_IGNORE_ENC | XML_PARSE_NOERROR | XML_PARSE_NOWARNING | XML_PARSE_NO_XXE);
+#else
 	php_libxml_sanitize_parse_ctxt_options(parser);
 	xmlCtxtUseOptions(parser, XML_PARSE_IGNORE_ENC | XML_PARSE_NOERROR | XML_PARSE_NOWARNING);
+#endif

 	xmlCharEncodingHandlerPtr encoding = xmlFindCharEncodingHandler("UTF-8");
 	(void) xmlSwitchToEncoding(parser, encoding);