We are using the dom4j 2.1.1 library for our application to parse internal and external XML documents. After a code audit, it was discovered that there was a potential XXE vulnerability with dom4j versions <2.0.3 and >2.1.3. However, with dom4j 2.1.1 the default behavior has been changed to prevent the processing of external entities by default, making the library more secure against XXE attacks. But it is still not completely secure!
Hence this question.. how to completely disable external DTDs and External Entities from being parsed?
