2 files changed, 4 insertions, 0 deletions

diff --git a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
index 5b9d2fd77..29d1c0c11 100644
--- a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+++ b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
@@ -244,6 +244,7 @@ public class InputHandler implements ErrorListener, Renderable {
         SAXParserFactory spf = SAXParserFactory.newInstance();
         spf.setFeature("http://xml.org/sax/features/namespaces", true);
         spf.setFeature("http://apache.org/xml/features/xinclude", true);
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         XMLReader xr = spf.newSAXParser().getXMLReader();
         return xr;
     }
diff --git a/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java b/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
index f06486c2b..0250415f2 100644
--- a/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
+++ b/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
@@ -30,6 +30,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@@ -96,6 +97,8 @@ public class FopServlet extends HttpServlet {
     public void init() throws ServletException {
         this.uriResolver = new ServletContextURIResolver(getServletContext());
         this.transFactory = TransformerFactory.newInstance();
+        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         this.transFactory.setURIResolver(this.uriResolver);
         //Configure FopFactory as desired
         // TODO: Double check this behaves properly!!