Using Java EE 1.8.0_201 (oracle jvm), I'm having a hard time finding any documentation on how to set a global entity expansion limit. I'm setting this on startup currently
System.setProperty("jdk.xml.entityExpansionLimit", String.valueOf(100));
This seems to have no effect, I can still perform a basic billion laughs attack and the thread just runs away. XMLSecurityManager has some logic for setting this but there is no way to provide one for an SAXParserFactory, XMLParser, XMLReader, EntityResolver, etc. I'm also reading that the limit applies to any entity, i.e. if I were to just have a large number of characters, which would be really bad if true. Is there some hidden documentation about all this that I am missing?