We should be doing this:
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
|
and simply rejecting things with doctype decls. This would apply to all the XML we consume be it a DFDL schema, configuration file, or input data for unparsing.
This is needed because of problems that doctype decls can create where the incoming XML can cause the JVM to crash with out-of-memory-errors (OOME).
See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that this fixes.