Fixed SECURITY-2411

Author: judovana

Diff for: src/main/java/hudson/plugins/nested_view/NestedView.java

@@ -31,6 +31,8 @@
 import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -505,10 +507,12 @@ public void updateByXml(Source source) throws IOException {
             // this allows us to use UTF-8 for storing data,
             // plus it checks any well-formedness issue in the submitted
             // data
-            Transformer t = TransformerFactory.newInstance()
-                    .newTransformer();
-            t.transform(source,
-                    new StreamResult(out));
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            Transformer t = factory.newTransformer();
+            t.transform(source, new StreamResult(out));
             out.close();
         } catch (TransformerException e) {
             throw new IOException2("Failed to persist configuration.xml", e);