public function testWhitelistedDocumentTypesAreAllowed() { $xmlVisitor = new XmlDeserializationVisitor(new SerializedNameAnnotationStrategy(new CamelCaseNamingStrategy()), $this->getDeserializationHandlers(), new UnserializeObjectConstructor()); $xmlVisitor->setDoctypeWhitelist(array('<!DOCTYPE authorized SYSTEM "http://authorized_url.dtd">', '<!DOCTYPE author [<!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource=' . basename(__FILE__) . '">]>')); $serializer = new Serializer(new MetadataFactory(new AnnotationDriver(new AnnotationReader())), array(), array('xml' => $xmlVisitor)); $serializer->deserialize('<?xml version="1.0"?> <!DOCTYPE authorized SYSTEM "http://authorized_url.dtd"> <foo></foo>', 'stdClass', 'xml'); $serializer->deserialize('<?xml version="1.0"?> <!DOCTYPE author [ <!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource=' . basename(__FILE__) . '"> ]> <foo></foo>', 'stdClass', 'xml'); }