diff --git a/app/src/main/java/biweekly/io/xml/XCalDocument.java b/app/src/main/java/biweekly/io/xml/XCalDocument.java
index 4f3211f1d8..65d4254866 100644
--- a/app/src/main/java/biweekly/io/xml/XCalDocument.java
+++ b/app/src/main/java/biweekly/io/xml/XCalDocument.java
@@ -21,6 +21,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -472,6 +473,7 @@ public class XCalDocument {
 		Transformer transformer;
 		try {
 			TransformerFactory factory = TransformerFactory.newInstance();
+			factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			transformer = factory.newTransformer();
 		} catch (TransformerConfigurationException e) {
diff --git a/app/src/main/java/biweekly/io/xml/XCalReader.java b/app/src/main/java/biweekly/io/xml/XCalReader.java
index 89ce066a59..e42229b318 100644
--- a/app/src/main/java/biweekly/io/xml/XCalReader.java
+++ b/app/src/main/java/biweekly/io/xml/XCalReader.java
@@ -22,6 +22,7 @@ import java.util.List;
 import java.util.concurrent.ArrayBlockingQueue;
 import java.util.concurrent.BlockingQueue;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.transform.ErrorListener;
 import javax.xml.transform.Source;
@@ -206,6 +207,7 @@ public class XCalReader extends StreamReader {
 			//create the transformer
 			try {
 				TransformerFactory factory = TransformerFactory.newInstance();
+				factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 				factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 				XmlUtils.applyXXEProtection(factory);
 
diff --git a/app/src/main/java/biweekly/util/XmlUtils.java b/app/src/main/java/biweekly/util/XmlUtils.java
index 15fad95c7c..0467c6fadc 100644
--- a/app/src/main/java/biweekly/util/XmlUtils.java
+++ b/app/src/main/java/biweekly/util/XmlUtils.java
@@ -14,6 +14,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -291,6 +292,7 @@ public final class XmlUtils {
 	public static void toWriter(Node node, Writer writer, Map<String, String> outputProperties) throws TransformerException {
 		try {
 			TransformerFactory factory = TransformerFactory.newInstance();
+			factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			Transformer transformer = factory.newTransformer();
 			for (Map.Entry<String, String> property : outputProperties.entrySet()) {
diff --git a/app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java b/app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java
index 7ed5cfe6cb..109c81ecc8 100644
--- a/app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java
+++ b/app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java
@@ -39,6 +39,8 @@ public abstract class XmlConverter {
 	static {
 		DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
 		try {
+			dbFactory.setXIncludeAware(false);
+			dbFactory.setExpandEntityReferences(false);
 			dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			documentBuilder = dbFactory.newDocumentBuilder();
 		} catch (ParserConfigurationException e) {
diff --git a/app/src/main/java/com/sun/mail/handlers/text_xml.java b/app/src/main/java/com/sun/mail/handlers/text_xml.java
index 2c578c8c8a..429f900c71 100644
--- a/app/src/main/java/com/sun/mail/handlers/text_xml.java
+++ b/app/src/main/java/com/sun/mail/handlers/text_xml.java
@@ -23,6 +23,7 @@ import javax.activation.ActivationDataFlavor;
 import javax.activation.DataSource;
 import javax.mail.internet.ContentType;
 import javax.mail.internet.ParseException;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -80,6 +81,7 @@ public class text_xml extends text_plain {
 
 	try {
 		TransformerFactory factory = TransformerFactory.newInstance();
+		factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 		Transformer transformer = factory.newTransformer();
 	    StreamResult result = new StreamResult(os);