How to write xml file without encoding utf-8 to HTML entity in PHP DOMDocument?

Question

I'm creating hacking lab(XML injection) and i want to save the text as it is

for example:

input text: tryingtoattack"

but DOMDocument encoding the quotes(or any spacial char) like this

output text: tryingtoattac&quot;

so my question is how can i write xml file without encoding the quotes(or any other char)

here's my code

    if(isset($_GET['name']) && isset($_GET['price'])){
        print_r($_GET['name']);
        $addproduct = new DOMDocument('1.0','utf-8');
        $addproduct->load('./usres.xml');
        $products = $addproduct->getElementsByTagName('product')->item(0)->parentNode;


        $product = $addproduct->createElement('product');
        $product->setAttribute('product-name',$_GET['name']);
        $name = $addproduct->createElement('name', "".$_GET['name']."");
        $product->appendChild($name);
        $price = $addproduct->createElement('price', $_GET['price']);
        $product->appendChild($price);
        
        $products->insertBefore($product);
        $addproduct->save('./usres.xml');
    }

I don't think you _can_ do that using DOMDocument - it is not made for creating invalid XML. — CBroe, Jan 20 '22 at 07:51
What _exactly_ are you trying to achieve? If you want to _produce_ any injection - well then you can't use tools that were already written so as to mitigate those attack vectors. You might have to create/modify the document manually then (depending on what the actual purpose is.) — CBroe, Jan 20 '22 at 09:59
Actually I'm working on ```WSTG labs``` so I'm trying to make a page with ```xml injection``` it's very similar ```sql injection``` so im using ```DOMDocument``` in ```php``` so my simple question is how can i make this page vulnerable to ```xml injection``` using ```php``` — Mirza Hasnat, Jan 21 '22 at 10:30

How to write xml file without encoding utf-8 to HTML entity in PHP DOMDocument?

0 Answers0