0xV3NOMx
Linux ip-172-26-7-228 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64



Your IP : 18.118.184.36


Current Path : /var/www/html/pgadm/PHPExcel/Documentation/markdown/ReadingSpreadsheetFiles/
Upload File :
Current File : /var/www/html/pgadm/PHPExcel/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md

# PHPExcel User Documentation – Reading Spreadsheet Files


## Security

XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:

 - Disclosure whether a file is existent
 - Server Side Request Forgery
 - Command Execution (depending on the installed PHP wrappers)
 

To prevent this, PHPExcel sets `libxml_disable_entity_loader` to `true` for the XML-based Readers by default.