diff --git a/languagetool-core/src/main/java/org/languagetool/rules/patterns/PatternRuleLoader.java b/languagetool-core/src/main/java/org/languagetool/rules/patterns/PatternRuleLoader.java index 4ff37df74bd1..7607e93b795f 100644 --- a/languagetool-core/src/main/java/org/languagetool/rules/patterns/PatternRuleLoader.java +++ b/languagetool-core/src/main/java/org/languagetool/rules/patterns/PatternRuleLoader.java @@ -73,6 +73,9 @@ public final List getRules(InputStream is, String filename, Tools.setPasswordAuthenticator(); } saxParser.getXMLReader().setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + saxParser.getXMLReader().setProperty("jdk.xml.maxGeneralEntitySizeLimit", 0); + saxParser.getXMLReader().setProperty("jdk.xml.totalEntitySizeLimit", 0); + saxParser.getXMLReader().setProperty("jdk.xml.entityExpansionLimit", 0); saxParser.parse(is, handler); return handler.getRules(); } catch (Exception e) { diff --git a/languagetool-core/src/main/java/org/languagetool/tagging/disambiguation/rules/DisambiguationRuleLoader.java b/languagetool-core/src/main/java/org/languagetool/tagging/disambiguation/rules/DisambiguationRuleLoader.java index 7d7ac812f7a6..c83a8910e4e6 100644 --- a/languagetool-core/src/main/java/org/languagetool/tagging/disambiguation/rules/DisambiguationRuleLoader.java +++ b/languagetool-core/src/main/java/org/languagetool/tagging/disambiguation/rules/DisambiguationRuleLoader.java @@ -44,6 +44,9 @@ public final List getRules(InputStream stream, Langua DisambiguationRuleHandler handler = new DisambiguationRuleHandler(language, xmlPath); SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParser saxParser = factory.newSAXParser(); + saxParser.getXMLReader().setProperty("jdk.xml.maxGeneralEntitySizeLimit", 0); + saxParser.getXMLReader().setProperty("jdk.xml.totalEntitySizeLimit", 0); + saxParser.getXMLReader().setProperty("jdk.xml.entityExpansionLimit", 0); if (JLanguageTool.isCustomPasswordAuthenticatorUsed()) { Tools.setPasswordAuthenticator();