XML Data Cleanup Before Calling SimpleXML

问题

This should be simple but it's been eluding me. We have a web service written in PHP that parses an XML payload that comes in as a POST, so the XML payload is contained in a $_POST variable.

The service finds the POST var that looks like it has XML and then uses simplexml_load_string to load it up. It seems like whenever there are quotes in the data like <element>this is a "test"</element> or this
<BuyerItemDesc>Customer's Serial Number</BuyerItemDesc> the load fails.

My question is what's the best way to sanitize the data in POST before calling simplexml_load_string()? I know that PHP is doing some escaping of quotes found in $_POST vars:

magic_quotes_gpc On On
magic_quotes_runtime Off Off

But this approach does not seem to be solve it:

trim(stripslashes($xmlFromPost));

Snippet from XML in Question

<Item>
<POLineNbr>1</POLineNbr>
<BuyerItemId>CDL-BM01</BuyerItemId>
<BuyerItemDesc>Biscuit Miller's, "Blues with a..."</BuyerItemDesc>
<Qty>1</Qty>
<QtyUOM>EA</QtyUOM>
<UCValue>0.00</UCValue>
<UCCurrencyCode>USD</UCCurrencyCode>
<SupplierItemId></SupplierItemId>
<BarCodeId>884502780246</BarCodeId>
<BarCodeType>GTIN-12</BarCodeType>

Look for XML in $_POST if(isset($_POST)){

foreach($_POST as $k=>$v){

    if(preg_match('/^\<\?xml/',trim($v))){

        $postXMLPayload = trim(stripslashes($v));
        break;
    }

  }
}

libxml_use_internal_errors(true);
$xml = simplexml_load_string($postXMLPayload);

Errors
Premature end of data in tag BuyerItemDesc line 79
Premature end of data in tag Item line 76
Premature end of data in tag Items line 75
Premature end of data in tag PODetail line 74
Premature end of data in tag NAMM_PO line 2

UPDATE This was caused by unsanitized data in the XML element. To correct this, I added htmlspecialchars():

$payload = htmlspecialchars(stripslashes(trim($postXMLPayload)));

回答1:

This was caused by unsanitized data in the XML element. To correct this, I added htmlspecialchars():

$payload = htmlspecialchars(stripslashes(trim($postXMLPayload)));

来源：https://stackoverflow.com/questions/14236607/xml-data-cleanup-before-calling-simplexml