This one is just a silly issue. On PHP versions under 8 libxml_disable_entity_loader(true) is called to disable external entities. This function is deprecated in PHP8 because remote entities are disabled by default. The problem is that when calling simplexml_load_string, a flag is passed in LIBXML_NOENT which means no entities should remain in the output so it will resolve and replace them. This mean it will turn on external entities.