Thank you very much, Christian!

> I am using the internal parser with the DTD option set to false, but this is still vulnerable to the one billion laughs attack.

Thanks for the hint. I have improved the entity expansion checks in our internal XML parser [1].

In BaseX 11.5, the billion laughs [https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870] ran for a long time, and gave me "java.lang.ArrayIndexOutOfBoundsException: Maximum array size reached."
The latest release says: "Entities: expansion limit exceeded or recursive definitions found."
No more billion laughs!

I was working on an extra option to set `

XMLConstants.FEATURE_SECURE_PROCESSING` to `true`, because I used that in the project that I am rewriting.
This option is used to "set limits on XML constructs to avoid conditions such as denial of service attacks." With your recent changes, I think this is no longer needed.

If you find an example that will not be caught by our (very simple) heuristics, feel free to share it with us.

I am still testing, and will let you know if I find anything.

I agree with Eliot that it can be hazardous to process arbitrary external contents (you are probably aware of that, too). Good firewall/proxy settings may be able to tackle some of the issues that will not be handled during XML parsing.

Unfortunately, I have little influence on the firewall/proxy in the production environment, so I try to handle everything in BaseX or my docker image.

Kind regards,
Nico