$file="xmltest.xml";
functiontrustedFile($file)
{// 仅信任本地文件if (!preg_match("@^([a-z]+)\:\/\/@i",$file)
&&fileowner($file) ==getmyuid()) {
returntrue;
}
returnfalse;
}
functionstartElement($parser,$name,$attribs)
{
echo"<$name";
if (count($attribs)) {
foreach ($attribsas$k=>$v) {
echo" $k=\"
color=\"#990000\">$v
\"";}
}
echo">";
}
functionendElement($parser,$name)
{
echo"</$name>";
}
functioncharacterData($parser,$data)
{
echo"$data";
}
functionPIHandler($parser,$target,$data)
{
switch (strtolower($target)) {
case"php":
global$parser_file;// 如何要解析的文档是“可信任”的, 则说明可安全
// 地执行其内部的 PHP 代码。否则,显示代码内容。if (trustedFile($parser_file[$parser])) {
eval($data);
} else {printf("Untrusted PHP code: %s",htmlspecialchars($data));
}
break;
}
}
functiondefaultHandler($parser,$data)
{
if (substr($data,0,1) =="&"&&substr($data, -1,1) ==";") {printf('%s',htmlspecialchars($data));
} else {printf('%s',htmlspecialchars($data));
}
}
functionexternalEntityRefHandler($parser,$openEntityNames,$base,$systemId,$publicId) {
if ($systemId) {
if (!list($parser,$fp) =new_xml_parser($systemId)) {printf("Could not open entity %s at %s\n",$openEntityNames,$systemId);
returnfalse;
}
while ($data=fread($fp,4096)) {
if (!xml_parse($parser,$data,feof($fp))) {printf("XML error: %s at line %d while parsing entity %s\n",xml_error_string(xml_get_error_code($parser)),xml_get_current_line_number($parser),$openEntityNames);xml_parser_free($parser);
returnfalse;
}
}xml_parser_free($parser);
returntrue;
}
returnfalse;
}
functionnew_xml_parser($file)
{
global$parser_file;$xml_parser=xml_parser_create();xml_parser_set_option($xml_parser,XML_OPTION_CASE_FOLDING,1);xml_set_element_handler($xml_parser,"startElement","endElement");xml_set_character_data_handler($xml_parser,"characterData");xml_set_processing_instruction_handler($xml_parser,"PIHandler");xml_set_default_handler($xml_parser,"defaultHandler");xml_set_external_entity_ref_handler($xml_parser,"externalEntityRefHandler");
if (!($fp= @fopen($file,"r"))) {
returnfalse;
}
if (!is_array($parser_file)) {settype($parser_file,"array");
}$parser_file[$xml_parser] =$file;
return array($xml_parser,$fp);
}
if (!(list($xml_parser,$fp) =new_xml_parser($file))) {
die("could not open XML input");
}
echo"
";
while ($data=fread($fp,4096)) {
if (!xml_parse($xml_parser,$data,feof($fp))) {
die(sprintf("XML error: %s at line %d\n",xml_error_string(xml_get_error_code($xml_parser)),xml_get_current_line_number($xml_parser)));
}
}
echo"
";echo"parse complete\n";xml_parser_free($xml_parser);?>