I see some work on trunk that implements configurations for secure processing (specifically, totalEntitySizeLimit).
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/parsers/SecureProcessingConfiguration.java?view=log This doesn't seem to be included in any release (most recent being in 2010). I've tried using the Oracle jaxp implementation, and performance we terrible. We utilise the xerces grammar pool caching which makes xerces our preferred parser. While we could patch it ourselves, this is going to raise some concerns when we audit our libraries. I've seen some previous messages on this mailing list about a release being needed... are there any plans for a release that would include these fixes? Is there anything I can do to contribute to help move things along? Thanks in advance for any help.
