Grav - XML External Entity Injection via SVG Upload

An attacker authenticates to the Grav admin panel, then uploads a malicious SVG file containing an XXE payload via Pages → Media or the File Manager plugin [ref_id=1]. The server parses the SVG with `simplexml_load_string()` while external entity loading remains enabled, causing the XML parser to expand external entities that reference local files like `/etc/passwd` or `user/accounts/*.yaml` [ref_id=1]. This allows the attacker to exfiltrate sensitive file contents in the response or stored output [ref_id=1]. The attack requires no special privileges beyond standard admin panel access [CWE-611].

The vulnerable code path is in `system/src/Grav/Common/Page/Medium/VectorImageMedium.php`, where `simplexml_load_string()` processes uploaded SVG content without disabling external entity loading [ref_id=1]. The same issue exists in the `rhukster/dom-sanitizer` library's `loadDocument` method [ref_id=1].

The fix applies two layers of defense [ref_id=1]. In `VectorImageMedium::construct`, `<DOCTYPE>` and `<!ENTITY>` declarations are stripped from the SVG before it reaches `simplexml_load_string`, which is called with `LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING`; on PHP < 8 `libxml_disable_entity_loader(true)` is also called for the parse duration [ref_id=1]. The same stripping and `LIBXML_NONET` flag are applied in the `rhukster/dom-sanitizer` library's `loadDocument` method [ref_id=1]. Together, these changes prevent entity declaration parsing and block outbound filesystem or network requests, neutralizing both XXE file disclosure and billion-laughs attacks [ref_id=1].