Disable access to external entities in XML parsing

[flo-dup]

• Do you want to request a feature or report a bug?
  Security vulnerability correction

• What is the current behavior?
  XML parsers factories can access external entities, see DomUtil.java file

• What is the expected behavior?
  XML parsers factories should not be granted external access

• What is the motivation / use case for changing the behavior?
  Quality gate passed / avoiding security vulnerability

[flo-dup]

XML parsers factories used should ensure setting attributes XMLConstants.ACCESS_EXTERNAL_SCHEMA, XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_STYLESHEET to "".
Nonetheless, users having the latest version of Xalan (2.7.2, released in 2014), or users having other libraries not supporting thoses attributes, would encounter an exception when this attribute is set. We should

• either ensure we are using a TransformerFactory and a DocumentBuilderFactory supporting those attributes by discarding those who don't in the ServiceLoader? by forcing to use the jdk internal xalan?
• or set those attributes anyway, log an explicit error message, and document how to exclude Xalan or others in the migration guide

Note that a new release of Xalan was "looked forward" by the project management committee a year ago, but does not seem to be very likely anymore as the community is not very active (see the corresponding board minutes).