From f02898e14d3485b9d31e4b01f748a3644df97657 Mon Sep 17 00:00:00 2001
From: MarkBaker <mark@lange.demon.co.uk>
Date: Tue, 20 Nov 2018 18:40:09 +0100
Subject: [PATCH] Don't rely purely on libxml_disable_entity_loader()

---
 src/PhpSpreadsheet/Reader/Security/XmlScanner.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/PhpSpreadsheet/Reader/Security/XmlScanner.php b/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
index 1bc6060e..eefd7c7d 100644
--- a/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
+++ b/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
@@ -62,11 +62,10 @@ class XmlScanner
             $xml = mb_convert_encoding($xml, 'UTF-8', $charset);
         }
 
-        if (!$this->libxmlDisableEntityLoader) {
-            $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
-            if (preg_match($pattern, $xml)) {
-                throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
-            }
+        // Don't rely purely on libxml_disable_entity_loader()
+        $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
+        if (preg_match($pattern, $xml)) {
+            throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
         }
 
         return $xml;