From f5cdaf51cb33e2283bfb933939a7d02f558ca7cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joe=20K=C3=BCng?= <joekueng05@gmail.com>
Date: Tue, 3 Mar 2026 18:19:15 +0100
Subject: [PATCH] fix(back-end): fix security issue

---
 .../com/printcalculator/service/SlicerService.java     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/src/main/java/com/printcalculator/service/SlicerService.java b/backend/src/main/java/com/printcalculator/service/SlicerService.java
index cde5e49..82fd544 100644
--- a/backend/src/main/java/com/printcalculator/service/SlicerService.java
+++ b/backend/src/main/java/com/printcalculator/service/SlicerService.java
@@ -639,9 +639,9 @@ public class SlicerService {
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);
         dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        disableIfSupported(dbf, "http://apache.org/xml/features/disallow-doctype-decl");
-        disableIfSupported(dbf, "http://xml.org/sax/features/external-general-entities");
-        disableIfSupported(dbf, "http://xml.org/sax/features/external-parameter-entities");
+        setFeatureIfSupported(dbf, "http://apache.org/xml/features/disallow-doctype-decl", true);
+        setFeatureIfSupported(dbf, "http://xml.org/sax/features/external-general-entities", false);
+        setFeatureIfSupported(dbf, "http://xml.org/sax/features/external-parameter-entities", false);
         dbf.setXIncludeAware(false);
         dbf.setExpandEntityReferences(false);
 
@@ -650,9 +650,9 @@ public class SlicerService {
         }
     }
 
-    private void disableIfSupported(DocumentBuilderFactory dbf, String feature) {
+    private void setFeatureIfSupported(DocumentBuilderFactory dbf, String feature, boolean enabled) {
         try {
-            dbf.setFeature(feature, false);
+            dbf.setFeature(feature, enabled);
         } catch (Exception ignored) {
             // Best-effort hardening.
         }