From 4debf8f25184b7283681ed3fb5e9e887d9d4fe22 Mon Sep 17 00:00:00 2001
From: Nikita Akilov <26031301+akilovich@users.noreply.github.com>
Date: Mon, 4 Oct 2021 13:13:02 +0300
Subject: [PATCH] dbeaver/dbeaver-ee#1166 prevent XXE

---
 bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java b/bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java
index 51754aa5416c..c035633d7ba3 100644
--- a/bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java
+++ b/bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java
@@ -17,6 +17,7 @@
 
 package org.jkiss.utils.xml;
 
+import javax.xml.XMLConstants;
 import org.jkiss.code.NotNull;
 import org.jkiss.code.Nullable;
 import org.w3c.dom.Document;
@@ -62,6 +63,7 @@ public static Document parseDocument(InputSource source) throws XMLException {
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder xmlBuilder = dbf.newDocumentBuilder();
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             return xmlBuilder.parse(source);
         } catch (Exception er) {
             throw new XMLException("Error parsing XML document", er);