From 83b70d913520337d9c039b7db42546016be1ac26 Mon Sep 17 00:00:00 2001
From: Octavian Patrascoiu <opatrascoiu@yahoo.com>
Date: Mon, 9 Sep 2024 12:28:52 +0100
Subject: [PATCH] [#702] Disable access to external entities in XML parsing

---
 .../com/gs/dmn/serialization/jackson/NSElementSerializer.java | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
index 5a8e21a84..124e80fb0 100644
--- a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
+++ b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
@@ -28,10 +28,8 @@ public void serialize(NSElement element, JsonGenerator gen, SerializerProvider s
     private static String toXml(Element element) {
         try {
             TransformerFactory factory = TransformerFactory.newInstance();
-            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
             StringWriter writer = new StringWriter();
             Transformer transformer = factory.newTransformer();
             transformer.transform(new DOMSource(element), new StreamResult(writer));