Closed
Description
The constructor new org.dom4j.io.SAXReader() calls one of the factory method form Java runtime library – org.xml.sax.helpers.XMLReaderFactory.createXMLReader() or javax.xml.parsers.SAXParserFactory.newInstance().newSAXParser(). These factory methods do not have safe defaults, such as downloading external entities.
Create the new factory method org.dom4j.io.SAXReader.createDefault() which overrides Java runtime library defaults and sets following features:
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);