XWIKI-20320: Disallow DOCTYPE in the XAR descriptor

xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java

@@ -515,6 +515,8 @@ public void readDescriptor(InputStream stream) throws XarException, IOException
 
         DocumentBuilder dBuilder;
         try {
+            // Prevent XXE attack
+            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dBuilder = dbFactory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
             throw new XarException("Failed to create a new Document builder", e);