Comment 6 for bug 1340151

Dan helpfully posted a bunch of links in the bug description showing how other products have addressed this problem. I find the Mediawiki one to be the most concise and explanatory: http://www.mediawiki.org/wiki/XML_External_Entity_Processing

Based on that, we need this plan of action:

1. Remove the part from init.php where we do libxml_disable_entity_loader(true);

2. Provide wrapper functions for DOMDocument -> loadXML() and simplexml_load_string(), which will run libxml_disable_entity_loader() before the vulnerable code, and then set it back to the old value immediately after.

3. Replace all existing calls to DOMDocument -> loadXML() and simplexml_load_string() with calls to our wrapper functions.

XMLReader->XML() is also vulnerable, but we don't use that in the Mahara codebase anywhere.

We'll need to test this to make sure that it no longer crashes Moodle, *and* that it doesn't leave us vulnerable to the initual security issue we were trying to fix.