From f937b0ac1157f2994bdb594f52cd63cf949fde6a Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Tue, 2 Jun 2026 12:21:08 +0530
Subject: [PATCH] reject doctype declarations in XomDriver

---
 .../thoughtworks/xstream/io/xml/XomDriver.java | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
index e79e97060..3a931503b 100644
--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
@@ -20,6 +20,12 @@
 import java.io.Writer;
 import java.net.URL;
 
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
 import com.thoughtworks.xstream.io.StreamException;
@@ -101,7 +107,17 @@ protected Builder getBuilder() {
      */
     protected Builder createBuilder() {
         final Builder builder = getBuilder();
-        return builder != null ? builder : new Builder();
+        if (builder != null) {
+            return builder;
+        }
+        try {
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            final XMLReader xmlReader = factory.newSAXParser().getXMLReader();
+            return new Builder(xmlReader);
+        } catch (final ParserConfigurationException | SAXException e) {
+            throw new StreamException(e);
+        }
     }
 
     @Override