How to Check Text Inputs for XML External Entity (XXE) Attacks in PHP

1 min readMar 21, 2023

Preventing XXE (XML External Entity) attacks starts with cleaning up your application’s XML parser. You can whitelist XML entities or disable external entity references altogether — and you should always make sure your parser libraries are patched and updated.

On top of these best practices, you can also use one of our free content security APIs to identify XXE attempts from text input. With this additional security measure in place, you’ll add critical redundancy to your data parsing workflow, ensuring malicious entities can’t trick your application into giving away sensitive information.

To take advantage of our XXE Detection API for free, you’ll first need to register a free account on our website; this will provide you with a free-tier API key to authenticate each request. After that, you can follow two simple steps below to structure your API call with ready-to-run PHP code examples (or find alternative code examples here).

First, run the following command to install the SDK:

composer require cloudmersive/cloudmersive_security_api_client

With installation complete, copy the remaining code examples to structure your request:

require_once(__DIR__ . '/vendor/autoload.php');

// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');

$apiInstance = new Swagger\Client\Api\ContentThreatDetectionApi(

new GuzzleHttp\Client(),
$value = "value_example"; // string | User-facing text input.

try {
$result = $apiInstance->contentThreatDetectionCheckXxe($value);
} catch (Exception $e) {
echo 'Exception when calling ContentThreatDetectionApi->contentThreatDetectionCheckXxe: ', $e->getMessage(), PHP_EOL;

All done — easy!




There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.