Open judgej opened 6 years ago
Sending broken XML to the application throws an exception. The middleware must not trust the XML so much that it assumes it is valid. That's a potential attack vector.
{ "message": "simplexml_load_string(): Entity: line 1: parser error : Opening and ending tag mismatch: Document line 1 and xDocument", "exception": "ErrorException", "file": "/.../vendor/tucker-eric/laravel-xml-middleware/src/XmlRequestServiceProvider.php", "line": 27, "trace": [ { "function": "handleError", "class": "Illuminate\\Foundation\\Bootstrap\\HandleExceptions", "type": "->" }, { "file": "/.../vendor/tucker-eric/laravel-xml-middleware/src/XmlRequestServiceProvider.php", "line": 27, "function": "simplexml_load_string" }, { "function": "XmlMiddleware\\{closure}", "class": "Illuminate\\Http\\Request", "type": "->" }, ... }
Good point. We'll add some error handling. I'd be happy to merge a PR for this.
Okay, I'm just putting some project stuff together at the moment. If/when I make the necessary changes, I'll make sure it's a PR.
Sending broken XML to the application throws an exception. The middleware must not trust the XML so much that it assumes it is valid. That's a potential attack vector.