Security fix: Prevent XXE attack on source/sink definition file

Author: StevenArzt

soot-infoflow-android/src/soot/jimple/infoflow/android/source/parsers/xml/XMLSourceSinkParser.java

@@ -484,6 +484,11 @@ protected XMLSourceSinkParser(ICategoryFilter categoryFilter) {
 	protected void parseInputStream(InputStream stream) {
 		SAXParserFactory pf = SAXParserFactory.newInstance();
 		try {
+			// Prevent XXE
+			pf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			pf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			pf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
 			SAXParser parser = pf.newSAXParser();
 			parser.parse(stream, new SAXHandler());
 		} catch (ParserConfigurationException e) {