From a0ce50b2a497dcb1711f48ad35cda14eeabf686f Mon Sep 17 00:00:00 2001
From: Tim Donohue <tim.donohue@lyrasis.org>
Date: Tue, 29 Apr 2025 14:51:19 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 30: Resolving XML
 external entity in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../pubmed/service/PubmedImportMetadataSourceServiceImpl.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java b/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java
index d84e3ed85e..22acf6c8ec 100644
--- a/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java
@@ -235,6 +235,8 @@ public class PubmedImportMetadataSourceServiceImpl extends AbstractImportMetadat
 
         try {
             SAXBuilder saxBuilder = new SAXBuilder();
+            saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false);
             Document document = saxBuilder.build(new StringReader(src));
             Element root = document.getRootElement();