Explicitly wrap some XML calls in libxml_disable_entity_loader()

As per https://www.php.net/manual/en/function.libxml-disable-entity-loader.php
this is technically unnecessary.

>However, as of libxml 2.9.0 entity substitution is disabled by default,
>so there is no need to disable the loading of external entities.

See also php/php-src#5867

>Since the release of libxml 2.9.0 in 2012 external entity loading is
>disabled in libxml by default. This means that using
>libxml_disable_entity_loader() is no longer needed.

Hopefully helps prevent false positive reports from security scanning tools.

Change-Id: I8a09d62a9920fd0bf4a388baa5544a02323bb541
(cherry picked from commit 64ea157)

Author: reedy

includes/site/SiteImporter.php

@@ -82,11 +82,13 @@ public function importFromXML( $xml ) {
 		$document = new DOMDocument();
 
 		$oldLibXmlErrors = libxml_use_internal_errors( true );
+		$oldDisable = libxml_disable_entity_loader( true );
 		$ok = $document->loadXML( $xml, LIBXML_NONET );
 
 		if ( !$ok ) {
 			$errors = libxml_get_errors();
 			libxml_use_internal_errors( $oldLibXmlErrors );
+			libxml_disable_entity_loader( $oldDisable );
 
 			foreach ( $errors as $error ) {
 				/** @var LibXMLError $error */
@@ -99,6 +101,7 @@ public function importFromXML( $xml ) {
 		}
 
 		libxml_use_internal_errors( $oldLibXmlErrors );
+		libxml_disable_entity_loader( $oldDisable );
 		$this->importFromDOM( $document->documentElement );
 	}
 

tests/phpunit/includes/ExportTest.php

@@ -37,9 +37,13 @@ public function testPageByTitle() {
 		$exporter->pageByTitle( $title );
 		$exporter->closeStream();
 
+		$oldDisable = libxml_disable_entity_loader( true );
+
 		// This throws error if invalid xml output
 		$xmlObject = simplexml_load_string( $sink );
 
+		libxml_disable_entity_loader( $oldDisable );
+
 		/**
 		 * Check namespaces match xml
 		 */