Merge pull request #3251 from mybatis/autofix/alert-6-2d7812d9b9

Fix code scanning alert no. 6: Resolving XML external entity in user-controlled data

Author: hazendaz

src/main/java/org/apache/ibatis/parsing/XPathParser.java

@@ -237,7 +237,7 @@ private Document createDocument(InputSource inputSource) {
       factory.setIgnoringComments(true);
       factory.setIgnoringElementContentWhitespace(false);
       factory.setCoalescing(false);
-      factory.setExpandEntityReferences(true);
+      factory.setExpandEntityReferences(false);
 
       DocumentBuilder builder = factory.newDocumentBuilder();
       builder.setEntityResolver(entityResolver);