Preventing XEE attacks by temporarily disabling entity loader for the…

… time parsing external XML.

Slim/Middleware/ContentTypes.php

@@ -137,7 +137,10 @@ protected function parseXml($input)
     {
         if (class_exists('SimpleXMLElement')) {
             try {
-                return new \SimpleXMLElement($input);
+                $backup = libxml_disable_entity_loader(true);
+                $result = new \SimpleXMLElement($input);
+                libxml_disable_entity_loader($backup);
+                return $result;
             } catch (\Exception $e) {
                 // Do nothing
             }