From 63c91ad426baffbd68b15acd00bc1b322d69b582 Mon Sep 17 00:00:00 2001
From: "Matteo E. Minnai" <m.minnai@entando.com>
Date: Wed, 24 Jun 2026 12:31:24 +0200
Subject: [PATCH] ESB-1146 Fix XEE in PageModelDOM

---
 .../agiletec/aps/system/services/pagemodel/PageModelDOM.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/engine/src/main/java/com/agiletec/aps/system/services/pagemodel/PageModelDOM.java b/engine/src/main/java/com/agiletec/aps/system/services/pagemodel/PageModelDOM.java
index 75c661f35..66835e1fe 100644
--- a/engine/src/main/java/com/agiletec/aps/system/services/pagemodel/PageModelDOM.java
+++ b/engine/src/main/java/com/agiletec/aps/system/services/pagemodel/PageModelDOM.java
@@ -109,6 +109,10 @@ private Element buildSketchXML(Frame frame) {
 	private void decodeDOM(String xmlText) throws EntException {
 		SAXBuilder builder = new SAXBuilder();
 		builder.setValidation(false);
+		builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 		StringReader reader = new StringReader(xmlText);
 		try {
 			_doc = builder.build(reader);