From fbc1539ae8a212396b2ff0960d924ff99f073bde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Enrique=20Lo=CC=81pez=20Man=CC=83as?=
 <eenriquelopez@gmail.com>
Date: Wed, 15 Apr 2026 09:38:26 +0200
Subject: [PATCH] fix: disable XML external entities in KML parser

---
 .../main/java/com/google/maps/android/data/kml/KmlLayer.java    | 2 ++
 .../test/java/com/google/maps/android/data/kml/KmlTestUtil.java | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/library/src/main/java/com/google/maps/android/data/kml/KmlLayer.java b/library/src/main/java/com/google/maps/android/data/kml/KmlLayer.java
index 99e2f5007..a0feb7361 100644
--- a/library/src/main/java/com/google/maps/android/data/kml/KmlLayer.java
+++ b/library/src/main/java/com/google/maps/android/data/kml/KmlLayer.java
@@ -198,6 +198,8 @@ private static KmlParser parseKml(InputStream stream) throws XmlPullParserExcept
      */
     private static XmlPullParser createXmlParser(InputStream stream) throws XmlPullParserException {
         XmlPullParserFactory factory = XmlPullParserFactory.newInstance();
+        factory.setFeature(XmlPullParser.FEATURE_PROCESS_DOCDECL, false);
+        factory.setFeature(XmlPullParser.FEATURE_VALIDATION, false);
         factory.setNamespaceAware(true);
         XmlPullParser parser = factory.newPullParser();
         parser.setInput(stream, null);
diff --git a/library/src/test/java/com/google/maps/android/data/kml/KmlTestUtil.java b/library/src/test/java/com/google/maps/android/data/kml/KmlTestUtil.java
index 55553aada..d603edf38 100644
--- a/library/src/test/java/com/google/maps/android/data/kml/KmlTestUtil.java
+++ b/library/src/test/java/com/google/maps/android/data/kml/KmlTestUtil.java
@@ -36,6 +36,8 @@ public class KmlTestUtil {
     static XmlPullParser createParser(String fileName) throws XmlPullParserException, IOException {
         InputStream stream = KmlTestUtil.class.getClassLoader().getResourceAsStream(fileName);
         XmlPullParserFactory factory = XmlPullParserFactory.newInstance();
+        factory.setFeature(XmlPullParser.FEATURE_PROCESS_DOCDECL, false);
+        factory.setFeature(XmlPullParser.FEATURE_VALIDATION, false);
         factory.setNamespaceAware(true);
         XmlPullParser parser = factory.newPullParser();
         parser.setInput(stream, null);