diff --git a/src/main/java/org/apache/ibatis/parsing/XPathParser.java b/src/main/java/org/apache/ibatis/parsing/XPathParser.java
index 3ebc3be2f8b..c1b3949d239 100644
--- a/src/main/java/org/apache/ibatis/parsing/XPathParser.java
+++ b/src/main/java/org/apache/ibatis/parsing/XPathParser.java
@@ -231,6 +231,9 @@ private Document createDocument(InputSource inputSource) {
     try {
       DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
       factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
       factory.setValidating(validation);
 
       factory.setNamespaceAware(false);