diff --git a/weixin/msg.py b/weixin/msg.py
index cb4e74a..89806b0 100644
--- a/weixin/msg.py
+++ b/weixin/msg.py
@@ -64,7 +64,8 @@ def validate(self, signature, timestamp, nonce):
 
     def parse(self, content):
         raw = {}
-        root = etree.fromstring(content)
+        root = etree.fromstring(content,
+                                parser=etree.XMLParser(resolve_entities=False))
         for child in root:
             raw[child.tag] = child.text
 
diff --git a/weixin/pay.py b/weixin/pay.py
index 4ab8cfb..1f8e231 100644
--- a/weixin/pay.py
+++ b/weixin/pay.py
@@ -79,7 +79,8 @@ def to_xml(self, raw):
 
     def to_dict(self, content):
         raw = {}
-        root = etree.fromstring(content.encode("utf-8"))
+        root = etree.fromstring(content.encode("utf-8"),
+                                parser=etree.XMLParser(resolve_entities=False))
         for child in root:
             raw[child.tag] = child.text
         return raw