diff --git a/zcommon/src/main/java/org/zkoss/idom/input/SAXBuilder.java b/zcommon/src/main/java/org/zkoss/idom/input/SAXBuilder.java
index 2dafda0b1e4..5d2bbcc278d 100644
--- a/zcommon/src/main/java/org/zkoss/idom/input/SAXBuilder.java
+++ b/zcommon/src/main/java/org/zkoss/idom/input/SAXBuilder.java
@@ -90,7 +90,10 @@ public SAXBuilder(boolean nsaware, boolean validate)
 		// Fix XML external entity injection
 		fty.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 		fty.setFeature("http://xml.org/sax/features/external-general-entities", false);
-		
+
+		// Fix Resolving XML external entity in user-controlled data
+		fty.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
 		// SAX2 namespace-prefixes should be true for either builder
 		setSafeFeature(fty, "http://xml.org/sax/features/namespace-prefixes", true);