...
This compliant solution defines a CustomResolver class that implements the interface org.xml.sax.EntityResolver. This enables a SAX application to implement customized handling of external entities. The setEntityResolver() method registers the implementation with the corresponding SAX driver. The customized handler uses a simple whitelist for external entities. The resolveEntity() method returns an empty InputSource when an input fails to resolve to any of the specified, safe entity source paths. Consequently, when parsing malicious input, the empty InputSource returned by the custom resolver causes a java.net.MalformedURLException to be thrown. Note that you must create an XMLReader object on which to set the custom entity resolver.
...