From 93caa1a4771aa06dc056d9c0f3ed351fcc0a3e36 Mon Sep 17 00:00:00 2001
From: shado23 <shado23@gmail.com>
Date: Thu, 22 Feb 2018 18:02:59 +0100
Subject: [PATCH] Set safe defaults for parser settings

The library should be safe by default and potentially unsafe features should be explicitly enabled by the user if needed.
---
 .../main/scala/scala/xml/factory/XMLLoader.scala  | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/shared/src/main/scala/scala/xml/factory/XMLLoader.scala b/shared/src/main/scala/scala/xml/factory/XMLLoader.scala
index 58e2260f9..8d5a6a935 100644
--- a/shared/src/main/scala/scala/xml/factory/XMLLoader.scala
+++ b/shared/src/main/scala/scala/xml/factory/XMLLoader.scala
@@ -25,9 +25,18 @@ trait XMLLoader[T <: Node] {
 
   /* Override this to use a different SAXParser. */
   def parser: SAXParser = {
-    val f = SAXParserFactory.newInstance()
-    f.setNamespaceAware(false)
-    f.newSAXParser()
+    val parser = SAXParserFactory.newInstance()
+
+    parser.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true)
+    parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+    parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+    parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+    parser.setFeature("http://xml.org/sax/features/external-general-entities", false)
+    parser.setFeature("http://xml.org/sax/features/resolve-dtd-uris", false)
+    parser.setXIncludeAware(false)
+    parser.setNamespaceAware(false)
+
+    parser.newSAXParser()
   }
 
   /**