https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
index 78b1a00..121585e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
@@ -36,6 +36,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
} catch(ParserConfigurationException pce) {
// not much point to do anything; could log but...
}
+
+ // [databind#2589] add two more settings just in case
+ try {
+ parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ } catch (Throwable t) { } // as per previous one, nothing much to do
+ try {
+ parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ } catch (Throwable t) { } // as per previous one, nothing much to do
DEFAULT_PARSER_FACTORY = parserFactory;
}