• Resolved Bryan Willis

    (@codecandid)


    Several hosts don’t support the the XML import function used by Formidable because apparently it is a security risk.

    libxml_disable_entity_loader

    I use the Premium Paid Version as well as the Free version on several different websites of mine. I have some very complex and lengthy forms and views I’ve built that I would build first on my own testing site before moving them over to another site. Unfortunately, since it’s not possible to import on a lot of hosts using this function, I might have to start from scratch on a lot of forms which I really would like to avoid 🙂

    Do you know any easy workaround for this? Some options I’ve thought might work:
    – Bypass the function with libxml_disable_entity_loader(false). Unfortunately, this didn’t work.
    – Login to Database and copy relevant table data to other database. Will this work? If so, what is the table called?
    – The function apparently is for external imports. Is there a way to import if I copy the XML file to the web server?

    Also, aside from my own self interest in the matter, I wanted to post to at least make sure you are aware of this “potential” security risk. Two hosts that I know block this function are Kinsta and WPMUDev.

    Anyway, thanks for any help or suggestions! Other than this one issue I’ve had this really has been an awesome plugin and way easier to style than Gravity Forms was.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support formidablematthew

    (@formidablematthew)

    Hi Bryan,

    I did some research on this and couldn’t find anything about kinsta blocking XML imports, but WMPUDev stated that this function is completely safe to whitelist in a support topic here, also referring to Formidable Forms: https://premium.wpmudev.org/forums/topic/xml-import-is-not-enabled-on-wpmu-host

    Our suggestion is to contact your hosts to get that function whitelisted so you can import forms.

    Plugin Author srwells

    (@srwells)

    Hi Bryan,
    I reached out to the folks at Kinsta, and they confirmed that xml uploads are not blocked in any of their configurations.

    Hey thanks for reaching out. Sorry for late follow-up I forgot to follow this thread.

    I had also come across that article on WPMUDev, but upon further review I noticed that it seems XML is still blocked, so I’m not sure if they ended up deciding it was a risk or they just haven’t updated their docs.

    https://premium.wpmudev.org/docs/hosting/sftp-ssh/#chapter-disabled-functions-php-ini

    Also, Kinsta originally told me the same thing about not blocking XML, but after I asked them to look into it more closely they confirmed that this function was set and blocking XML import.

    libxml_disable_entity_loader(true)

    Here’s what they said as to why…

    “It looks like it can cause a security issue if another script changes the secure connection setting to false/disabled.”

    I can confirm that Kinsta, at least, will enable this on an individual basis and did so for me. However, they said that when the PHP updates to a newer version it will revert the change and to reach out again if I need to.

    Anyway, I guess if any other users run into this problem with Kinsta, just let them know to reach out to Kinsta and they will bypass this on request for now. Personally, I’m going to have them enable the block again once I upload my backups, just to be on the safe site.

    After doing a little more research, it looks like the possible security risk is XML eXternal Entity (XXE) attack. Here’s a really good writeup about it here: https://gardienvirtuel.ca/fr/actualites/from-xml-to-rce.php

    Anyway, thanks for support and hope this information helps. Let me know if you have any questions!

    Plugin Author srwells

    (@srwells)

    Thanks for the update! We’ll pass that along to any others who might be running into this issue on Kinsta.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Import XML Function Issue’ is closed to new replies.