From 1ebe948542217e7dc086de1f3fe7b97d1d83ba45 Mon Sep 17 00:00:00 2001
From: Dustin Frisch <dustin@opennms.com>
Date: Thu, 13 Jul 2023 13:51:30 +0200
Subject: [PATCH] NMS-15699: Prevent external xml entity loading

---
 core/xml/src/main/java/org/opennms/core/xml/JaxbUtils.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/xml/src/main/java/org/opennms/core/xml/JaxbUtils.java b/core/xml/src/main/java/org/opennms/core/xml/JaxbUtils.java
index 13f5fab2f618..60c78c1f3409 100644
--- a/core/xml/src/main/java/org/opennms/core/xml/JaxbUtils.java
+++ b/core/xml/src/main/java/org/opennms/core/xml/JaxbUtils.java
@@ -305,9 +305,9 @@ public static <T> XMLFilter getXMLFilterForClass(final Class<T> clazz, boolean d
         final XMLReader xmlReader = XMLReaderFactory.createXMLReader();
         if (disableDOCTYPE) {
             xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
         }
+        xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
         xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 
         filter.setParent(xmlReader);