diff --git a/build/tmpl/text/changes.txt b/build/tmpl/text/changes.txt
index 841135dd14..c76dd20995 100644
--- a/build/tmpl/text/changes.txt
+++ b/build/tmpl/text/changes.txt
@@ -4,6 +4,9 @@ Changes log
 ===========
 
 @version-full@ (@release-date@)
+    - Bugs fixed
+       - XEE injection security in XML extension.
+         Reported by Man Yue Mo.
 
 - 2.3.11 (09/28/2017)
     - Bugs fixed
diff --git a/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java b/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
index 4826caf801..ab0a941b9b 100644
--- a/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
+++ b/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
@@ -370,7 +370,10 @@ protected DocumentBuilder getDocumentBuilder() throws IOException {
             dbf.setNamespaceAware(isNamespaceAware());
             dbf.setValidating(isValidatingDtd());
             dbf.setCoalescing(isCoalescing());
-            dbf.setExpandEntityReferences(isExpandingEntityRefs());
+            dbf.setExpandEntityReferences(false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",isExpandingEntityRefs());
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities",isExpandingEntityRefs());
+            
             dbf.setIgnoringComments(isIgnoringComments());
             dbf.setIgnoringElementContentWhitespace(isIgnoringExtraWhitespaces());