set transformer factory attributes to improve protection against XXE (#3837)

Author: pjfanning

src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java

@@ -28,6 +28,8 @@ public DOMSerializer() {
         try {
             transformerFactory = TransformerFactory.newInstance();
             transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         } catch (Exception e) {
             throw new IllegalStateException("Could not instantiate `TransformerFactory`: "+e.getMessage(), e);
         }
@@ -61,4 +63,13 @@ public JsonNode getSchema(SerializerProvider provider, java.lang.reflect.Type ty
     public void acceptJsonFormatVisitor(JsonFormatVisitorWrapper visitor, JavaType typeHint) throws JsonMappingException {
         if (visitor != null) visitor.expectAnyFormat(typeHint);
     }
+
+    private static void setTransformerFactoryAttribute(final TransformerFactory transformerFactory,
+                                                       final String name, final Object value) {
+        try {
+            transformerFactory.setAttribute(name, value);
+        } catch (Exception e) {
+            System.err.println("[DOMSerializer] Failed to set TransformerFactory attribute: " + name);
+        }
+    }
 }