As many people have found out, entity handling in ext/xml is broken when used with libxml2 2.7.0-2.7.2. The problem lies with the way pre-defined entities are handled; or rather not handled when used with one of the newer libxml2 versions. The entities, &, < , >, ' and " never get passed to the user's callbacks, causing a big problem in quite a number of applications out there. Needless to say, I've received a good amount of hate mail over this problem. Got to love people. You never hear how grateful anyone ever is, but sure as hell once there is a problem they are all over you. Anyways, I digress.
Although I have been telling people for a few years now that they should use XMLReader rather than ext/xml, this breakage was not intentional; no matter what anyone says – Yes, I've had a few throw that out there. The good news is that the problem has finally been fixed, but will require both an updated PHP (5.2.9+) and libxml2-2.7.3, although none of them have yet been released. Until things are available, the available options are to either compile your own builds using the code from the libxml2 and PHP repositories, don't upgrade to libxml2 2.7.x yet if you haven't yet done so, build ext/xml with expat rather than libxml2, or lastly, convert your PHP code to use XMLReader.
My parting thought on this to everyone is just switch to the XMLReader extension. It's faster, easier to use and much more powerful.
While working on OAuth implementations for our clients at Mashery, one of the biggest issues I see developers running into is how to debug and fix invalid signature errors. There are numerous OAuth libraries out there, in fact we even have our own, so how do you determine which side is really generating the correct signature and which has a flaw in the logic? I find that using a third party library is a great way to quickly zero in on which side is at the root of the issue. The problem, however, is there are no readily available tools to do this. I have found a number of test applications, but they pretty much are for testing wether a consumer library/app is working correctly against them.
We mostly deal with providing the service provider side of OAuth, meaning numerous different endpoints, so these tools were of little help. I ended up writing a down and dirty signature generation app using the C# OAuth library (so Windows only folks). It will generate a signature based on the different OAuth parameters you enter. You can use this to compare the signature it generates to that from your consumer app or service provider. Full source code and more detailed information can be found on the Mashery Customer Solutions site. Time permitting, I may continue to add features to this tool. Hopefully others find this useful as well.