I have a method like below. I’ve set the FEATURE_SECURE_PROCESSING to true. When I run my unit test below, I can list the files under project directory, meaning it is vulnerable to XXE attacks. How can I secure the TransformerFactory to such attacks? Answer You’re supplying a DOMSource to the TransformerFactory, so the DTD was processed before the TransformerFactory came