FOP-3168: Add secure processing for XSL input

fop-core/src/main/java/org/apache/fop/cli/InputHandler.java

@@ -26,6 +26,7 @@ import java.io.OutputStream;
 import java.lang.reflect.InvocationTargetException;
 import java.util.Vector;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.ErrorListener;
@@ -265,6 +266,7 @@ public class InputHandler implements ErrorListener, Renderable {
         try {
             // Setup XSLT
             TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer transformer;
 
             Source xsltSource = createXSLTSource();