XEE injection security in XML extension. Reported by Man Yue Mo.

Author: thboileau

Diff for: build/tmpl/text/changes.txt

@@ -4,6 +4,9 @@ Changes log
 ===========
 
 @version-full@ (@release-date@)
+    - Bugs fixed
+       - XEE injection security in XML extension.
+         Reported by Man Yue Mo.
 
 - 2.3.11 (09/28/2017)
     - Bugs fixed

Diff for: modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java

@@ -370,7 +370,10 @@ protected DocumentBuilder getDocumentBuilder() throws IOException {
             dbf.setNamespaceAware(isNamespaceAware());
             dbf.setValidating(isValidatingDtd());
             dbf.setCoalescing(isCoalescing());
-            dbf.setExpandEntityReferences(isExpandingEntityRefs());
+            dbf.setExpandEntityReferences(false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",isExpandingEntityRefs());
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities",isExpandingEntityRefs());
+            
             dbf.setIgnoringComments(isIgnoringComments());
             dbf.setIgnoringElementContentWhitespace(isIgnoringExtraWhitespaces());