in src/main/java/org/apache/sling/contentparser/xml/jcr/internal/JCRXMLContentParser.java [54:63]
public JCRXMLContentParser() {
try {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
spf.setNamespaceAware(true);
saxParserFactory = spf;
} catch (Exception e) {
throw new IllegalStateException("Unable to enable secure processing.", e);
}
}