Move new documentbuilderfactory calls to XMLUtils

Author: dotasek

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java

@@ -51,7 +51,7 @@ public class CDAUtilities {
   private final Document doc;
 
   public CDAUtilities(InputStream stream) throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java

@@ -130,7 +130,7 @@ private Document loadXml(String address) throws Exception {
     res.checkThrowException();
     InputStream xml = new ByteArrayInputStream(res.getContent());
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     DocumentBuilder db = dbf.newDocumentBuilder();
     return db.parse(xml);
   }

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java

@@ -357,7 +357,7 @@ private String lang3To2(String lang) {
   }
 
   private Document load() throws ParserConfigurationException, SAXException, IOException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java

@@ -131,7 +131,7 @@ private JsonObject buildPackage() {
   }
 
   private CodeSystem buildCodeSystem() throws ParserConfigurationException, FileNotFoundException, SAXException, IOException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
     Document doc = builder.parse(ManagedFileAccess.inStream(Utilities.path(source, "Resources", "Ontology", "DCM", "dcm.owl")));

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java

@@ -120,7 +120,7 @@ public void setTargetFileNameVS(String targetFileName) {
   }
 
   public void go() throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(false);
     DocumentBuilder builder = factory.newDocumentBuilder();
     Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java

@@ -148,7 +148,7 @@ private void log(String string) {
 
 	}
 	private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
 		factory.setNamespaceAware(true);
 		DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java

@@ -1,7 +1,5 @@
 package org.hl7.fhir.convertors.misc.adl;
 
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -89,7 +87,7 @@ private static String getParam(String[] args, String name) {
 
   private void execute() throws Exception {
     // load config
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
     adlConfig = builder.parse(ManagedFileAccess.inStream(config)).getDocumentElement();

org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java

@@ -317,7 +317,7 @@ private String getDoco(Element en) {
   }
 
   private void load() throws ParserConfigurationException, SAXException, IOException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(false);
     DocumentBuilder builder = factory.newDocumentBuilder();
     Document doc = builder.parse(ManagedFileAccess.inStream("C:\\work\\projects\\org.hl7.v3.dt\\iso\\iso-21090-datatypes.xsd"));

org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java

@@ -162,7 +162,7 @@ private void log(String string) {
   }
 
   private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java

@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.hl7.fhir.utilities.xml.XmlGenerator;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
@@ -73,7 +74,7 @@ public static void main(String[] args)
     //
     byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
     // load the document that's going to be signed
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     dbf.setNamespaceAware(true);
     DocumentBuilder builder = dbf.newDocumentBuilder();
     Document doc = builder.parse(new ByteArrayInputStream(inputXml));

org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java

@@ -70,7 +70,7 @@ public void setLang(String lang) {
    */
   public void load(String filename)
       throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     DocumentBuilder builder = factory.newDocumentBuilder();
     loadMessages(builder.parse(new CSFileInputStream(filename)));
   }

org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java

@@ -17,6 +17,7 @@
 import org.hl7.fhir.utilities.Utilities;
 import org.hl7.fhir.utilities.filesystem.CSFile;
 import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) {
   }
 
   private static Document loadXml(String fn) throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java

@@ -78,7 +78,7 @@ public XmlParser(IWorkerContext context) {
   public Element parse(InputStream stream) throws Exception {
     Document doc = null;
     try {
-      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+      DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
       // xxe protection
       factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java

@@ -116,7 +116,7 @@ public void setTargetFileNameVS(String targetFileName) {
   }
 
   public void go() throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(false);
     DocumentBuilder builder = factory.newDocumentBuilder();
     Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));

org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java

@@ -162,7 +162,7 @@ private void log(String string) {
   }
 
   private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java

@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.hl7.fhir.utilities.xml.XmlGenerator;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
@@ -73,7 +74,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC
     //
     byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
     // load the document that's going to be signed
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     dbf.setNamespaceAware(true);
     DocumentBuilder builder = dbf.newDocumentBuilder();
     Document doc = builder.parse(new ByteArrayInputStream(inputXml));

org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java

@@ -70,7 +70,7 @@ public void setLang(String lang) {
    */
   public void load(String filename)
       throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     DocumentBuilder builder = factory.newDocumentBuilder();
     loadMessages(builder.parse(new CSFileInputStream(filename)));
   }

org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java

@@ -17,6 +17,7 @@
 import org.hl7.fhir.utilities.Utilities;
 import org.hl7.fhir.utilities.filesystem.CSFile;
 import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) {
   }
 
   private static Document loadXml(String fn) throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java

@@ -97,7 +97,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) {
   public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
 		Document doc = null;
   	try {
-  		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+  		DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
   		// xxe protection
   		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
   		factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java

@@ -154,7 +154,7 @@ private void log(String string) {
 
 	}
 	private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
 		factory.setNamespaceAware(true);
 		DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java

@@ -62,6 +62,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.hl7.fhir.utilities.xml.XmlGenerator;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
@@ -74,7 +75,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC
     //
     byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
     // load the document that's going to be signed
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 
+    DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     dbf.setNamespaceAware(true);
     DocumentBuilder builder = dbf.newDocumentBuilder();  
     Document doc = builder.parse(new ByteArrayInputStream(inputXml)); 

org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java

@@ -1,33 +1,33 @@
 package org.hl7.fhir.dstu3.utils;
 
-/*
-  Copyright (c) 2011+, HL7, Inc.
-  All rights reserved.
-  
-  Redistribution and use in source and binary forms, with or without modification, 
-  are permitted provided that the following conditions are met:
-    
-   * Redistributions of source code must retain the above copyright notice, this 
-     list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above copyright notice, 
-     this list of conditions and the following disclaimer in the documentation 
-     and/or other materials provided with the distribution.
-   * Neither the name of HL7 nor the names of its contributors may be used to 
-     endorse or promote products derived from this software without specific 
-     prior written permission.
-  
-  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 
-  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
-  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
-  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
-  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
-  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
-  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
-  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
-  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-  POSSIBILITY OF SUCH DAMAGE.
-  
- */
+/*
+  Copyright (c) 2011+, HL7, Inc.
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, 
+  are permitted provided that the following conditions are met:
+    
+   * Redistributions of source code must retain the above copyright notice, this 
+     list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above copyright notice, 
+     this list of conditions and the following disclaimer in the documentation 
+     and/or other materials provided with the distribution.
+   * Neither the name of HL7 nor the names of its contributors may be used to 
+     endorse or promote products derived from this software without specific 
+     prior written permission.
+  
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 
+  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
+  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
+  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
+  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
+  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+  POSSIBILITY OF SUCH DAMAGE.
+  
+ */
 
 
 
@@ -71,7 +71,7 @@ public void setLang(String lang) {
    * @throws Exception
    */
   public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     DocumentBuilder builder = factory.newDocumentBuilder();
     loadMessages(builder.parse(new CSFileInputStream(filename)));
   }

org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java

@@ -20,6 +20,7 @@
 import org.hl7.fhir.utilities.filesystem.CSFile;
 import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
 import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -176,7 +177,7 @@ private static Document loadXml(String fn) throws Exception {
   }
 
   private static Document loadXml(InputStream fn) throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
       factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
       factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java

@@ -96,7 +96,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) {
   public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
     Document doc = null;
     try {
-      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+      DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
       // xxe protection
       factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java

@@ -156,7 +156,7 @@ private void log(String string) {
   }
 
   private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setNamespaceAware(true);
     DocumentBuilder builder = factory.newDocumentBuilder();
 

org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java

@@ -59,6 +59,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
 import org.hl7.fhir.utilities.tests.ResourceLoaderTests;
 import org.hl7.fhir.utilities.tests.TestConfig;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -256,7 +257,7 @@ private static Document loadXml(String fn) throws Exception {
   }
 
   private static Document loadXml(InputStream fn) throws Exception {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java

@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 
 import org.hl7.fhir.utilities.Utilities;
 import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
 import org.hl7.fhir.utilities.xml.XmlGenerator;
 import org.w3c.dom.Document;
 
@@ -88,7 +89,7 @@ public static void main(String[] args) throws Exception {
     //
     byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
     // load the document that's going to be signed
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     dbf.setNamespaceAware(true);
     DocumentBuilder builder = dbf.newDocumentBuilder();
     Document doc = builder.parse(new ByteArrayInputStream(inputXml));

org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java

@@ -70,7 +70,7 @@ public void setLang(String lang) {
    */
   public void load(String filename)
       throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
     DocumentBuilder builder = factory.newDocumentBuilder();
     loadMessages(builder.parse(new CSFileInputStream(filename)));
   }