XML security

app/src/main/java/biweekly/io/xml/XCalDocument.java

@@ -471,7 +471,9 @@ public class XCalDocument {
 	public void write(Writer writer, Map<String, String> outputProperties) throws TransformerException {
 		Transformer transformer;
 		try {
-			transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory factory = TransformerFactory.newInstance();
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			transformer = factory.newTransformer();
 		} catch (TransformerConfigurationException e) {
 			//should never be thrown because we're not doing anything fancy with the configuration
 			throw new RuntimeException(e);

app/src/main/java/biweekly/io/xml/XCalReader.java

@@ -206,6 +206,7 @@ public class XCalReader extends StreamReader {
 			//create the transformer
 			try {
 				TransformerFactory factory = TransformerFactory.newInstance();
+				factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 				XmlUtils.applyXXEProtection(factory);
 
 				transformer = factory.newTransformer();

app/src/main/java/biweekly/util/XmlUtils.java

@@ -154,6 +154,11 @@ public final class XmlUtils {
 		factory.setNamespaceAware(true);
 		factory.setIgnoringComments(true);
 		applyXXEProtection(factory);
+		try {
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		} catch (ParserConfigurationException ex) {
+			throw new SAXException(ex);
+		}
 
 		DocumentBuilder builder;
 		try {
@@ -169,6 +174,7 @@ public final class XmlUtils {
 	/**
 	 * Configures a {@link DocumentBuilderFactory} to protect it against XML
 	 * External Entity attacks.
+	 *
 	 * @param factory the factory
 	 * @see <a href=
 	 * "https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet#Java">
@@ -198,6 +204,7 @@ public final class XmlUtils {
 	/**
 	 * Configures a {@link TransformerFactory} to protect it against XML
 	 * External Entity attacks.
+	 *
 	 * @param factory the factory
 	 * @see <a href=
 	 * "https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet#Java">
@@ -283,7 +290,9 @@ public final class XmlUtils {
 	 */
 	public static void toWriter(Node node, Writer writer, Map<String, String> outputProperties) throws TransformerException {
 		try {
-			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory factory = TransformerFactory.newInstance();
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			Transformer transformer = factory.newTransformer();
 			for (Map.Entry<String, String> property : outputProperties.entrySet()) {
 				try {
 					transformer.setOutputProperty(property.getKey(), property.getValue());

app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java

@@ -39,6 +39,7 @@ public abstract class XmlConverter {
 	static {
 		DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
 		try {
+			dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			documentBuilder = dbFactory.newDocumentBuilder();
 		} catch (ParserConfigurationException e) {
 			throw new RuntimeException(e);

app/src/main/java/com/sun/mail/handlers/text_xml.java

@@ -79,8 +79,9 @@ public class text_xml extends text_plain {
 	}
 
 	try {
-	    Transformer transformer =
-		TransformerFactory.newInstance().newTransformer();
+		TransformerFactory factory = TransformerFactory.newInstance();
+		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		Transformer transformer = factory.newTransformer();
 	    StreamResult result = new StreamResult(os);
 	    if (obj instanceof DataSource) {
 		// Streaming transform applies only to