shell bypass 403
* This file is part of the Symfony package.
* (c) Fabien Potencier <>
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
namespace Symfony\Component\Serializer\Encoder;
use Symfony\Component\Serializer\Exception\UnexpectedValueException;
* Encodes XML data
* @author Jordi Boggiano <>
* @author John Wards <>
* @author Fabian Vogler <>
class XmlEncoder extends SerializerAwareEncoder implements EncoderInterface, DecoderInterface, NormalizationAwareInterface
private $dom;
private $format;
private $context;
private $rootNodeName = 'response';
* Construct new XmlEncoder and allow to change the root node element name.
* @param string $rootNodeName
public function __construct($rootNodeName = 'response')
$this->rootNodeName = $rootNodeName;
* {@inheritdoc}
public function encode($data, $format, array $context = array())
if ($data instanceof \DOMDocument) {
return $data->saveXML();
$xmlRootNodeName = $this->resolveXmlRootName($context);
$this->dom = $this->createDomDocument($context);
$this->format = $format;
$this->context = $context;
if (null !== $data && !is_scalar($data)) {
$root = $this->dom->createElement($xmlRootNodeName);
$this->buildXml($root, $data, $xmlRootNodeName);
} else {
$this->appendNode($this->dom, $data, $xmlRootNodeName);
return $this->dom->saveXML();
* {@inheritdoc}
public function decode($data, $format, array $context = array())
if ('' === trim($data)) {
throw new UnexpectedValueException('Invalid XML data, it can not be empty.');
$internalErrors = libxml_use_internal_errors(true);
$disableEntities = libxml_disable_entity_loader(true);
$dom = new \DOMDocument();
$dom->loadXML($data, LIBXML_NONET);
if ($error = libxml_get_last_error()) {
throw new UnexpectedValueException($error->message);
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
throw new UnexpectedValueException('Document types are not allowed.');
$xml = simplexml_import_dom($dom);
if ($error = libxml_get_last_error()) {
throw new UnexpectedValueException($error->message);
if (!$xml->count()) {
if (!$xml->attributes()) {
return (string) $xml;
$data = array();
foreach ($xml->attributes() as $attrkey => $attr) {
$data['@'.$attrkey] = (string) $attr;
$data['#'] = (string) $xml;
return $data;
return $this->parseXml($xml);
* {@inheritdoc}
public function supportsEncoding($format)
return 'xml' === $format;
* {@inheritdoc}
public function supportsDecoding($format)
return 'xml' === $format;
* Sets the root node name
* @param string $name root node name
public function setRootNodeName($name)
$this->rootNodeName = $name;
* Returns the root node name
* @return string
public function getRootNodeName()
return $this->rootNodeName;
* @param \DOMNode $node
* @param string $val
* @return Boolean
final protected function appendXMLString(\DOMNode $node, $val)
if (strlen($val) > 0) {
$frag = $this->dom->createDocumentFragment();
return true;
return false;
* @param \DOMNode $node
* @param string $val
* @return Boolean
final protected function appendText(\DOMNode $node, $val)
$nodeText = $this->dom->createTextNode($val);
return true;
* @param \DOMNode $node
* @param string $val
* @return Boolean
final protected function appendCData(\DOMNode $node, $val)
$nodeText = $this->dom->createCDATASection($val);
return true;
* @param \DOMNode $node
* @param \DOMDocumentFragment $fragment
* @return Boolean
final protected function appendDocumentFragment(\DOMNode $node, $fragment)
if ($fragment instanceof \DOMDocumentFragment) {
return true;
return false;
* Checks the name is a valid xml element name
* @param string $name
* @return Boolean
final protected function isElementNameValid($name)
return $name &&
false === strpos($name, ' ') &&
preg_match('#^[\pL_][\pL0-9._-]*$#ui', $name);
* Parse the input SimpleXmlElement into an array.
* @param \SimpleXmlElement $node xml to parse
* @return array
private function parseXml(\SimpleXmlElement $node)
$data = array();
if ($node->attributes()) {
foreach ($node->attributes() as $attrkey => $attr) {
$data['@'.$attrkey] = (string) $attr;
foreach ($node->children() as $key => $subnode) {
if ($subnode->count()) {
$value = $this->parseXml($subnode);
} elseif ($subnode->attributes()) {
$value = array();
foreach ($subnode->attributes() as $attrkey => $attr) {
$value['@'.$attrkey] = (string) $attr;
$value['#'] = (string) $subnode;
} else {
$value = (string) $subnode;
if ($key === 'item') {
if (isset($value['@key'])) {
if (isset($value['#'])) {
$data[$value['@key']] = $value['#'];
} else {
$data[$value['@key']] = $value;
} else {
$data['item'][] = $value;
} elseif (array_key_exists($key, $data) || $key == "entry") {
if ((false === is_array($data[$key])) || (false === isset($data[$key][0]))) {
$data[$key] = array($data[$key]);
$data[$key][] = $value;
} else {
$data[$key] = $value;
return $data;
* Parse the data and convert it to DOMElements
* @param \DOMNode $parentNode
* @param array|object $data
* @param string|null $xmlRootNodeName
* @return Boolean
* @throws UnexpectedValueException
private function buildXml(\DOMNode $parentNode, $data, $xmlRootNodeName = null)
$append = true;
if (is_array($data) || $data instanceof \Traversable) {
foreach ($data as $key => $data) {
//Ah this is the magic @ attribute types.
if (0 === strpos($key, "@") && is_scalar($data) && $this->isElementNameValid($attributeName = substr($key, 1))) {
$parentNode->setAttribute($attributeName, $data);
} elseif ($key === '#') {
$append = $this->selectNodeType($parentNode, $data);
} elseif (is_array($data) && false === is_numeric($key)) {
* Is this array fully numeric keys?
if (ctype_digit(implode('', array_keys($data)))) {
* Create nodes to append to $parentNode based on the $key of this array
* Produces <xml><item>0</item><item>1</item></xml>
* From array("item" => array(0,1));
foreach ($data as $subData) {
$append = $this->appendNode($parentNode, $subData, $key);
} else {
$append = $this->appendNode($parentNode, $data, $key);
} elseif (is_numeric($key) || !$this->isElementNameValid($key)) {
$append = $this->appendNode($parentNode, $data, "item", $key);
} else {
$append = $this->appendNode($parentNode, $data, $key);
return $append;
if (is_object($data)) {
$data = $this->serializer->normalize($data, $this->format, $this->context);
if (null !== $data && !is_scalar($data)) {
return $this->buildXml($parentNode, $data, $xmlRootNodeName);
// top level data object was normalized into a scalar
if (!$parentNode->parentNode->parentNode) {
$root = $parentNode->parentNode;
return $this->appendNode($root, $data, $xmlRootNodeName);
return $this->appendNode($parentNode, $data, 'data');
throw new UnexpectedValueException(sprintf('An unexpected value could not be serialized: %s', var_export($data, true)));
* Selects the type of node to create and appends it to the parent.
* @param \DOMNode $parentNode
* @param array|object $data
* @param string $nodeName
* @param string $key
* @return Boolean
private function appendNode(\DOMNode $parentNode, $data, $nodeName, $key = null)
$node = $this->dom->createElement($nodeName);
if (null !== $key) {
$node->setAttribute('key', $key);
$appendNode = $this->selectNodeType($node, $data);
// we may have decided not to append this node, either in error or if its $nodeName is not valid
if ($appendNode) {
return $appendNode;
* Checks if a value contains any characters which would require CDATA wrapping.
* @param string $val
* @return Boolean
private function needsCdataWrapping($val)
return preg_match('/[<>&]/', $val);
* Tests the value being passed and decide what sort of element to create
* @param \DOMNode $node
* @param mixed $val
* @return Boolean
private function selectNodeType(\DOMNode $node, $val)
if (is_array($val)) {
return $this->buildXml($node, $val);
} elseif ($val instanceof \SimpleXMLElement) {
$child = $this->dom->importNode(dom_import_simplexml($val), true);
} elseif ($val instanceof \Traversable) {
$this->buildXml($node, $val);
} elseif (is_object($val)) {
return $this->buildXml($node, $this->serializer->normalize($val, $this->format, $this->context));
} elseif (is_numeric($val)) {
return $this->appendText($node, (string) $val);
} elseif (is_string($val) && $this->needsCdataWrapping($val)) {
return $this->appendCData($node, $val);
} elseif (is_string($val)) {
return $this->appendText($node, $val);
} elseif (is_bool($val)) {
return $this->appendText($node, (int) $val);
} elseif ($val instanceof \DOMNode) {
$child = $this->dom->importNode($val, true);
return true;
* Get real XML root node name, taking serializer options into account.
private function resolveXmlRootName(array $context = array())
return isset($context['xml_root_node_name'])
? $context['xml_root_node_name']
: $this->rootNodeName;
* Create a DOM document, taking serializer options into account.
* @param array $context options that the encoder has access to.
* @return \DOMDocument
private function createDomDocument(array $context)
$document = new \DOMDocument();
// Set an attribute on the DOM document specifying, as part of the XML declaration,
$xmlOptions = array(
// the version number of the document
'xml_version' => 'xmlVersion',
// the encoding of the document
'xml_encoding' => 'encoding',
// whether the document is standalone
'xml_standalone' => 'xmlStandalone',
foreach ($xmlOptions as $xmlOption => $documentProperty) {
if (isset($context[$xmlOption])) {
$document->$documentProperty = $context[$xmlOption];
return $document;