diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index f94580ef4bb6f3e78e045e174e0e76d7848ac1eb..af36ed752bf0af3e64401f5c284b9601c6e2267e 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1930,6 +1930,17 @@ class SimpleSAML_Utilities {
 		date_default_timezone_set($serverTimezone);
 	}
 
+	/**
+	 * Disable the loading of external entities in XML documents to prevent local and
+	 * remote file inclusion attacks. This is in most cases already disabled by default
+	 * in system libraries, but to be safe we explicitly disable it also.
+	 */
+	public static function disableXMLEntityLoader() {
+		/* Function only present in PHP >= 5.2.11 while we support 5.2+ */
+		if ( function_exists('libxml_disable_entity_loader') ) {
+			libxml_disable_entity_loader();
+		}
+	}
 
 	/**
 	 * Atomically write a file.
diff --git a/www/_include.php b/www/_include.php
index d0e483b2fa789c6c59b34b68f8fa7a7980c8dba7..4e9b35541c3adbfced06cab3f719e903e90669a7 100644
--- a/www/_include.php
+++ b/www/_include.php
@@ -107,5 +107,5 @@ if (!file_exists($configdir . '/config.php')) {
 
 /* Set the timezone. */
 SimpleSAML_Utilities::initTimezone();
-
-?>
\ No newline at end of file
+/* Disable XML external entity loading explicitly. */
+SimpleSAML_Utilities::disableXMLEntityLoader();