From 3fa673d7673d5df5ebecc19f84a6ddd9b1689dcb Mon Sep 17 00:00:00 2001
From: Octavian Patrascoiu <opatrascoiu@yahoo.com>
Date: Mon, 9 Sep 2024 11:29:38 +0100
Subject: [PATCH] [#702] Disable access to external entities in XML parsing

---
 .../com/gs/dmn/serialization/jackson/NSElementSerializer.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
index f98690a7c..79fa10237 100644
--- a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
+++ b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
@@ -28,6 +28,7 @@ public void serialize(NSElement element, JsonGenerator gen, SerializerProvider s
     private static String toXml(Element element) {
         try {
             TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             StringWriter writer = new StringWriter();