Merge pull request #177 from shado23/safe-defaults

Author: SethTisue

shared/src/main/scala/scala/xml/factory/XMLLoader.scala

@@ -30,7 +30,13 @@ trait XMLLoader[T <: Node] {
   private lazy val parserInstance = new ThreadLocal[SAXParser] {
     override def initialValue = {
       val parser = SAXParserFactory.newInstance()
-
+      parser.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true)
+      parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+      parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+      parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+      parser.setFeature("http://xml.org/sax/features/external-general-entities", false)
+      parser.setFeature("http://xml.org/sax/features/resolve-dtd-uris", false)
+      parser.setXIncludeAware(false)
       parser.setNamespaceAware(false)
       parser.newSAXParser()
     }