From 75ff477e276134fbdba58500cefbdb30fac3ee83 Mon Sep 17 00:00:00 2001
From: Greg Gibeling <greg.gibeling@roche.com>
Date: Fri, 18 Jul 2025 14:08:28 -0700
Subject: [PATCH] Allow DocumentBuilderFactory override by subclasses

---
 src/main/java/org/cyclonedx/parsers/XmlParser.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cyclonedx/parsers/XmlParser.java b/src/main/java/org/cyclonedx/parsers/XmlParser.java
index 119e5fd697..815796709a 100644
--- a/src/main/java/org/cyclonedx/parsers/XmlParser.java
+++ b/src/main/java/org/cyclonedx/parsers/XmlParser.java
@@ -335,10 +335,14 @@ private void extractNamespaces(Node node, List<String> namespaces) {
     private Document createSecureDocument(InputSource in) throws ParserConfigurationException, IOException, SAXException
     {
         //https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression
-        DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
+        final DocumentBuilderFactory df = createDocumentBuilderFactory();
         df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
         df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-        DocumentBuilder builder = df.newDocumentBuilder();
+        final DocumentBuilder builder = df.newDocumentBuilder();
         return builder.parse(in);
     }
+
+    protected DocumentBuilderFactory createDocumentBuilderFactory() {
+        return DocumentBuilderFactory.newInstance();
+    }
 }