[SECURITY] XML entity expansion