For a discussion of turning off entities on XML.
We also need to turn off any way the XML parser would "go to the web" to resolve anything. This may already be off for parsing of DFDL schemas as we have our own resolver, but we also feed things to xerces for validation, and that might have these same issues, and when processing data, our streaming in of XML for unparsing may not be defending against this either.
Places we take in XML:
Validation of DFDL Schema in Xerces
Validation of XML of DFDL Infoset in Xerces (This is our own XML being output from parser, so less of an issue, but we might as well just be uniform about all of these)
XML Input to the unparser