Disable SimpleXML entity loader in Phabricator

Summary: See D8049. Same deal as that one, but this is in the Phabricator web stack.

Test Plan: Man oh man.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8050

support/PhabricatorStartup.php

@@ -280,6 +280,11 @@ final class PhabricatorStartup {
   private static function setupPHP() {
     error_reporting(E_ALL | E_STRICT);
     ini_set('memory_limit', -1);
+
+    // If we have libxml, disable the incredibly dangerous entity loader.
+    if (function_exists('libxml_disable_entity_loader')) {
+      libxml_disable_entity_loader(true);
+    }
   }
 
   /**