diff --git a/core/src/main/java/org/jenkins/ui/symbol/Symbol.java b/core/src/main/java/org/jenkins/ui/symbol/Symbol.java
index 604221d07db2..be9e8cec310d 100644
--- a/core/src/main/java/org/jenkins/ui/symbol/Symbol.java
+++ b/core/src/main/java/org/jenkins/ui/symbol/Symbol.java
@@ -107,6 +107,7 @@ private static String loadSymbol(String namespace, String name) {
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         try {
             dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document doc = db.parse(new StringInputStream(markup));
             Element root = doc.getDocumentElement();
diff --git a/core/src/main/resources/hudson/PluginManager/_installed.js b/core/src/main/resources/hudson/PluginManager/_installed.js
index 4b1018a24ce5..3cde7be6dc3a 100644
--- a/core/src/main/resources/hudson/PluginManager/_installed.js
+++ b/core/src/main/resources/hudson/PluginManager/_installed.js
@@ -26,7 +26,7 @@
     ).then((rsp) => {
       if (!rsp.ok) {
         rsp.text().then((responseText) => {
-          document.getElementById("needRestart").innerHTML = responseText;
+          document.getElementById("needRestart").textContent = responseText;
         });
       }
       updateMsg();
diff --git a/war/src/main/webapp/scripts/hudson-behavior.js b/war/src/main/webapp/scripts/hudson-behavior.js
index 08fc373f2b49..fb3a099ea7ac 100644
--- a/war/src/main/webapp/scripts/hudson-behavior.js
+++ b/war/src/main/webapp/scripts/hudson-behavior.js
@@ -658,15 +658,8 @@ function registerValidator(e) {
     var depends = this.getAttribute("checkDependsOn");
 
     if (depends == null) {
-      // legacy behaviour where checkUrl is a JavaScript
-      try {
-        return eval(url); // need access to 'this', so no 'geval'
-      } catch (e) {
-        console.warn(
-          "Legacy checkUrl '" + url + "' is not valid JavaScript: " + e,
-        );
-        return url; // return plain url as fallback
-      }
+      // legacy behaviour removed for security - treat checkUrl as plain URL
+      return url;
     } else {
       var q = qs(this).addThis();
       if (depends.length > 0) {