oxml: don't resolve XML entities in oxml_parser

Resolving entities in the XML is not required by the Open XML standard
and represents a security vulnerability. Turn off entity resolution in
both the opc (package) parser and the part parser.

Author: Steve Canny

docx/opc/oxml.py

@@ -16,7 +16,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)
 
 nsmap = {

docx/oxml/__init__.py

@@ -14,7 +14,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)