Hello Daniel,
This is working as designed.
Disabling validation has no impact on entity processing. Please refer to
this FAQ [1].
DocumentBuilderFactory.setExpandEntityReferences() only tells the
DocumentBuilder whether it should include EntityReference nodes in the
tree. Please refer to [2]
Hello,
We recently did some testing to verify the proper way of disabling
external entity resolution, as a security recommendation.
Through some unit testing, we came up with a couple findings which I
wanted to verify were intended functionality:
* Not validating XML did not
