CVE-2014-3529

@@ -33,7 +33,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.PackagePartName;
 import org.apache.poi.openxml4j.opc.PackagingURIHelper;
 import org.apache.poi.util.DocumentHelper;
-import org.apache.poi.util.SAXHelper;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -371,7 +370,7 @@ public void clearOverrideContentTypes() {
 	private void parseContentTypesFile(InputStream in)
 			throws InvalidFormatException {
 		try {
-			Document xmlContentTypetDoc = SAXHelper.readSAXDocument(in);
+			Document xmlContentTypetDoc = DocumentHelper.readDocument(in);
 
 			// Default content types
 			NodeList defaultTypes = xmlContentTypetDoc.getDocumentElement().getElementsByTagName(DEFAULT_TAG_NAME);

@@ -31,7 +31,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
 import org.apache.poi.openxml4j.opc.internal.PartUnmarshaller;
 import org.apache.poi.openxml4j.opc.internal.ZipHelper;
-import org.apache.poi.util.SAXHelper;
+import org.apache.poi.util.DocumentHelper;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -105,7 +105,7 @@ public PackagePart unmarshall(UnmarshallContext context, InputStream in)
 
 		Document xmlDoc;
 		try {
-			xmlDoc = SAXHelper.readSAXDocument(in);
+			xmlDoc = DocumentHelper.readDocument(in);
 
 			/* Check OPC compliance */
 

@@ -24,9 +24,9 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
+import org.apache.poi.util.DocumentHelper;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
-import org.apache.poi.util.SAXHelper;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -311,7 +311,7 @@ private void parseRelationshipsPart(PackagePart relPart)
             throws InvalidFormatException {
         try {
             logger.log(POILogger.DEBUG, "Parsing relationship: " + relPart.getPartName());
-            Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
+            Document xmlRelationshipsDoc = DocumentHelper.readDocument(relPart.getInputStream());
 
             // Browse default types
             Element root = xmlRelationshipsDoc.getDocumentElement();

@@ -17,6 +17,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 package org.apache.poi.util;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Method;
+
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -25,20 +29,78 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
 
-public class DocumentHelper {
+public final class DocumentHelper {
+    private static POILogger logger = POILogFactory.getLogger(DocumentHelper.class);
+    
+    private DocumentHelper() {}
 
-    private static final DocumentBuilder newDocumentBuilder;
-    static {
+    /**
+     * Creates a new document builder, with sensible defaults
+     */
+    public static synchronized DocumentBuilder newDocumentBuilder() {
         try {
-            newDocumentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(SAXHelper.IGNORING_ENTITY_RESOLVER);
+            return documentBuilder;
         } catch (ParserConfigurationException e) {
             throw new IllegalStateException("cannot create a DocumentBuilder", e);
         }
     }
 
+    private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+    static {
+        documentBuilderFactory.setNamespaceAware(true);
+        documentBuilderFactory.setValidating(false);
+        trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySetXercesSecurityManager(documentBuilderFactory);
+    }
+
+    private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
+        try {
+            documentBuilderFactory.setFeature(feature, enabled);
+        } catch (Exception e) {
+            logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
+        }
+    }
+    private static void trySetXercesSecurityManager(DocumentBuilderFactory documentBuilderFactory) {
+        // Try built-in JVM one first, standalone if not
+        for (String securityManagerClassName : new String[] {
+                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+                "org.apache.xerces.util.SecurityManager"
+        }) {
+            try {
+                Object mgr = Class.forName(securityManagerClassName).newInstance();
+                Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+                setLimit.invoke(mgr, 4096);
+                documentBuilderFactory.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
+                // Stop once one can be setup without error
+                return;
+            } catch (Exception e) {
+                logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
+            }
+        }
+    }
+
+    /**
+     * Parses the given stream via the default (sensible)
+     * DocumentBuilder
+     * @param inp Stream to read the XML data from
+     * @return the parsed Document 
+     */
+    public static Document readDocument(InputStream inp) throws IOException, SAXException {
+        return newDocumentBuilder().parse(inp);
+    }
+
+    // must only be used to create empty documents, do not use it for parsing!
+    private static final DocumentBuilder documentBuilderSingleton = newDocumentBuilder();
+
+    /**
+     * Creates a new DOM Document
+     */
     public static synchronized Document createDocument() {
-        return newDocumentBuilder.newDocument();
+        return documentBuilderSingleton.newDocument();
     }
 
     /**

@@ -18,19 +18,17 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 package org.apache.poi.util;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.StringReader;
 import java.lang.reflect.Method;
 
 import javax.xml.XMLConstants;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
 
-import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
 
 
 /**
@@ -39,43 +37,43 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 public final class SAXHelper {
     private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
 
-    private static final EntityResolver IGNORING_ENTITY_RESOLVER = new EntityResolver() {
+    private SAXHelper() {}
+
+    /**
+     * Creates a new SAX XMLReader, with sensible defaults
+     */
+    public static synchronized XMLReader newXMLReader() throws SAXException, ParserConfigurationException {
+        XMLReader xmlReader = saxFactory.newSAXParser().getXMLReader();
+        xmlReader.setEntityResolver(IGNORING_ENTITY_RESOLVER);
+        trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySetXercesSecurityManager(xmlReader);
+        return xmlReader;
+    }
+    
+    static final EntityResolver IGNORING_ENTITY_RESOLVER = new EntityResolver() {
         @Override
         public InputSource resolveEntity(String publicId, String systemId)
                 throws SAXException, IOException {
             return new InputSource(new StringReader(""));
         }
     };
-
-    private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+    
+    private static final SAXParserFactory saxFactory;
     static {
-        documentBuilderFactory.setNamespaceAware(true);
-        documentBuilderFactory.setValidating(false);
-        trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        trySetXercesSecurityManager(documentBuilderFactory);
-    }
-
-    /**
-     * Creates a new document builder, with sensible defaults
-     */
-    public static synchronized DocumentBuilder getDocumentBuilder() {
-        try {
-            DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
-            documentBuilder.setEntityResolver(IGNORING_ENTITY_RESOLVER);
-            return documentBuilder;
-        } catch (ParserConfigurationException e) {
-            throw new IllegalStateException("cannot create a DocumentBuilder", e);
-        }
+        saxFactory = SAXParserFactory.newInstance();
+        saxFactory.setValidating(false);
+        saxFactory.setNamespaceAware(true);
     }
-
-    private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
+            
+    private static void trySetSAXFeature(XMLReader xmlReader, String feature, boolean enabled) {
         try {
-            documentBuilderFactory.setFeature(feature, enabled);
+            xmlReader.setFeature(feature, enabled);
         } catch (Exception e) {
             logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
         }
     }
-    private static void trySetXercesSecurityManager(DocumentBuilderFactory documentBuilderFactory) {
+    
+    private static void trySetXercesSecurityManager(XMLReader xmlReader) {
         // Try built-in JVM one first, standalone if not
         for (String securityManagerClassName : new String[] {
                 "com.sun.org.apache.xerces.internal.util.SecurityManager",
@@ -85,22 +83,12 @@ private static void trySetXercesSecurityManager(DocumentBuilderFactory documentB
                 Object mgr = Class.forName(securityManagerClassName).newInstance();
                 Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
                 setLimit.invoke(mgr, 4096);
-                documentBuilderFactory.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
+                xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
                 // Stop once one can be setup without error
                 return;
             } catch (Exception e) {
                 logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
             }
         }
     }
-
-    /**
-     * Parses the given stream via the default (sensible)
-     * SAX Reader
-     * @param inp Stream to read the XML data from
-     * @return the SAX processed Document 
-     */
-    public static Document readSAXDocument(InputStream inp) throws IOException, SAXException {
-        return getDocumentBuilder().parse(inp);
-    }
 }

@@ -22,12 +22,11 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.List;
 
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 
 import org.apache.poi.openxml4j.opc.OPCPackage;
 import org.apache.poi.openxml4j.opc.PackagePart;
 import org.apache.poi.openxml4j.opc.PackageRelationship;
+import org.apache.poi.util.SAXHelper;
 import org.apache.poi.xssf.usermodel.XSSFRelation;
 import org.xml.sax.Attributes;
 import org.xml.sax.InputSource;
@@ -134,10 +133,8 @@ public ReadOnlySharedStringsTable(PackagePart part, PackageRelationship rel_igno
      */
     public void readFrom(InputStream is) throws IOException, SAXException {
         InputSource sheetSource = new InputSource(is);
-        SAXParserFactory saxFactory = SAXParserFactory.newInstance();
         try {
-           SAXParser saxParser = saxFactory.newSAXParser();
-           XMLReader sheetParser = saxParser.getXMLReader();
+           XMLReader sheetParser = SAXHelper.newXMLReader();
            sheetParser.setContentHandler(this);
            sheetParser.parse(sheetSource);
         } catch(ParserConfigurationException e) {

@@ -24,8 +24,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.Map;
 
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 
 import org.apache.poi.POIXMLProperties;
 import org.apache.poi.POIXMLProperties.CoreProperties;
@@ -35,6 +33,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
 import org.apache.poi.openxml4j.opc.OPCPackage;
 import org.apache.poi.ss.usermodel.DataFormatter;
+import org.apache.poi.util.SAXHelper;
 import org.apache.poi.xssf.eventusermodel.ReadOnlySharedStringsTable;
 import org.apache.poi.xssf.eventusermodel.XSSFReader;
 import org.apache.poi.xssf.eventusermodel.XSSFSheetXMLHandler;
@@ -174,10 +173,8 @@ public void processSheet(
        }
       
        InputSource sheetSource = new InputSource(sheetInputStream);
-       SAXParserFactory saxFactory = SAXParserFactory.newInstance();
        try {
-          SAXParser saxParser = saxFactory.newSAXParser();
-          XMLReader sheetParser = saxParser.getXMLReader();
+          XMLReader sheetParser = SAXHelper.newXMLReader();
           ContentHandler handler = new XSSFSheetXMLHandler(
                 styles, comments, strings, sheetContentsExtractor, formatter, formulasNotResults);
           sheetParser.setContentHandler(handler);

@@ -28,8 +28,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.Map;
 import java.util.Vector;
 
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Source;
@@ -45,7 +43,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.ss.usermodel.Cell;
 import org.apache.poi.ss.usermodel.DateUtil;
-import org.apache.poi.util.XMLHelper;
+import org.apache.poi.util.DocumentHelper;
 import org.apache.poi.xssf.usermodel.XSSFCell;
 import org.apache.poi.xssf.usermodel.XSSFMap;
 import org.apache.poi.xssf.usermodel.XSSFRow;
@@ -106,15 +104,6 @@ public void exportToXML(OutputStream os, boolean validate) throws SAXException,
         exportToXML(os, "UTF-8", validate);
     }
 
-    private Document getEmptyDocument() throws ParserConfigurationException{
-
-        DocumentBuilderFactory dbfac = XMLHelper.getDocumentBuilderFactory();
-        DocumentBuilder docBuilder = dbfac.newDocumentBuilder();
-        Document doc = docBuilder.newDocument();
-
-        return doc;
-    }
-
     /**
      * Exports the data in an XML stream
      *
@@ -132,7 +121,7 @@ public void exportToXML(OutputStream os, String encoding, boolean validate) thro
 
         String rootElement = map.getCtMap().getRootElement();
 
-        Document doc = getEmptyDocument();
+        Document doc = DocumentHelper.createDocument();
 
         Element root = null;
 

@@ -24,16 +24,15 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 import javax.xml.namespace.NamespaceContext;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.apache.poi.util.DocumentHelper;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
-import org.apache.poi.util.XMLHelper;
 import org.apache.poi.xssf.usermodel.XSSFCell;
 import org.apache.poi.xssf.usermodel.XSSFMap;
 import org.apache.poi.xssf.usermodel.XSSFRow;
@@ -76,11 +75,9 @@ public XSSFImportFromXML(XSSFMap map) {
      * @throws ParserConfigurationException if there are problems with XML parser configuration
      * @throws IOException  if there are problems reading the input string
      */
-    public void importFromXML(String xmlInputString) throws SAXException, XPathExpressionException, ParserConfigurationException, IOException {
+    public void importFromXML(String xmlInputString) throws SAXException, XPathExpressionException, IOException {
 
-        DocumentBuilderFactory factory = XMLHelper.getDocumentBuilderFactory();
-        factory.setNamespaceAware(true);
-        DocumentBuilder builder = factory.newDocumentBuilder();
+        DocumentBuilder builder = DocumentHelper.newDocumentBuilder();
 
         Document doc = builder.parse(new InputSource(new StringReader(xmlInputString.trim())));
 

@@ -42,7 +42,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.util.DocumentHelper;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
-import org.apache.poi.util.SAXHelper;
 import org.apache.poi.util.TempFile;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -218,7 +217,7 @@ private void assertMSCompatibility(OPCPackage pkg) throws Exception {
         PackagePartName relName = PackagingURIHelper.createPartName(PackageRelationship.getContainerPartRelationship());
         PackagePart relPart = pkg.getPart(relName);
 
-        Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
+        Document xmlRelationshipsDoc = DocumentHelper.readDocument(relPart.getInputStream());
 
         Element root = xmlRelationshipsDoc.getDocumentElement();
         NodeList nodeList = root.getElementsByTagName(PackageRelationship.RELATIONSHIP_TAG_NAME);

@@ -146,9 +146,12 @@ under the License.
     <!-- jars in the lib-ooxml directory, see the fetch-ooxml-jars target-->
     <property name="ooxml.dom4j.jar" location="${ooxml.lib}/dom4j-1.6.1.jar"/>
     <property name="ooxml.dom4j.url" value="${repository.m2}/maven2/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar"/>
-    <property name="ooxml.xmlbeans.jar" location="${ooxml.lib}/xmlbeans-2.3.0.jar"/>
-    <property name="ooxml.xmlbeans.url"
+    <property name="ooxml.xmlbeans23.jar" location="${ooxml.lib}/xmlbeans-2.3.0.jar"/>
+    <property name="ooxml.xmlbeans23.url"
               value="${repository.m2}/maven2/org/apache/xmlbeans/xmlbeans/2.3.0/xmlbeans-2.3.0.jar"/>
+    <property name="ooxml.xmlbeans26.jar" location="${ooxml.lib}/xmlbeans-2.6.0.jar"/>
+    <property name="ooxml.xmlbeans26.url"
+              value="${repository.m2}/maven2/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar"/>
     <property name="ooxml.jsr173.jar" location="${ooxml.lib}/stax-api-1.0.1.jar"/>
     <property name="ooxml.jsr173.url" value="${repository.m2}/maven2/stax/stax-api/1.0.1/stax-api-1.0.1.jar"/>
 
@@ -218,7 +221,7 @@ under the License.
     <path id="ooxml.classpath">
         <pathelement location="${ooxml.jsr173.jar}"/>
         <pathelement location="${ooxml.dom4j.jar}"/>
-        <pathelement location="${ooxml.xmlbeans.jar}"/>
+        <pathelement location="${ooxml.xmlbeans26.jar}"/>
         <pathelement location="${ooxml.xsds.jar}"/>
         <path refid="main.classpath"/>
         <pathelement location="${main.output.dir}"/>
@@ -249,7 +252,7 @@ under the License.
     <path id="ooxml-lite.classpath">
         <pathelement location="${ooxml.jsr173.jar}"/>
         <pathelement location="${ooxml.dom4j.jar}"/>
-        <pathelement location="${ooxml.xmlbeans.jar}"/>
+        <pathelement location="${ooxml.xmlbeans26.jar}"/>
         <pathelement location="build/ooxml-xsds-lite"/> <!-- instead of ooxml-xsds.jar use the filtered classes-->
         <path refid="main.classpath"/>
         <pathelement location="${main.output.dir}"/>
@@ -408,7 +411,8 @@ under the License.
             <or>
                 <and>
                     <available file="${ooxml.dom4j.jar}"/>
-                    <available file="${ooxml.xmlbeans.jar}"/>
+                    <available file="${ooxml.xmlbeans23.jar}"/>
+                    <available file="${ooxml.xmlbeans26.jar}"/>
                     <available file="${ooxml.jsr173.jar}"/>
                     <available file="${ooxml.xsds.jar}"/>
                 </and>
@@ -423,13 +427,17 @@ under the License.
             <param name="destfile" value="${ooxml.dom4j.jar}"/>
         </antcall>
         <antcall target="downloadfile">
-            <param name="sourcefile" value="${ooxml.xmlbeans.url}"/>
-            <param name="destfile" value="${ooxml.xmlbeans.jar}"/>
+            <param name="sourcefile" value="${ooxml.xmlbeans23.url}"/>
+            <param name="destfile" value="${ooxml.xmlbeans23.jar}"/>
         </antcall>
         <antcall target="downloadfile">
             <param name="sourcefile" value="${ooxml.jsr173.url}"/>
             <param name="destfile" value="${ooxml.jsr173.jar}"/>
         </antcall>
+        <antcall target="downloadfile">
+            <param name="sourcefile" value="${ooxml.xmlbeans26.url}"/>
+            <param name="destfile" value="${ooxml.xmlbeans26.jar}"/>
+        </antcall>
     </target>
 
     <target name="check-ooxml-xsds">
@@ -474,7 +482,7 @@ under the License.
 
         <taskdef name="xmlbean"
                  classname="org.apache.xmlbeans.impl.tool.XMLBean"
-                 classpath="${ooxml.xmlbeans.jar}:${ooxml.jsr173.jar}"/>
+                 classpath="${ooxml.xmlbeans23.jar}:${ooxml.jsr173.jar}"/>
 
         <!-- We need a fair amount of memory to compile the xml schema, -->
         <!--  but limit it in case it goes wrong! -->
@@ -513,7 +521,7 @@ under the License.
             description="Compiles the OOXML encryption xsd files into XmlBeans">
         <taskdef name="xmlbean"
                  classname="org.apache.xmlbeans.impl.tool.XMLBean"
-                 classpath="${ooxml.xmlbeans.jar}:${ooxml.jsr173.jar}"/>
+                 classpath="${ooxml.xmlbeans23.jar}:${ooxml.jsr173.jar}"/>
 
         <!-- We need a fair amount of memory to compile the xml schema, -->
         <!--  but limit it in case it goes wrong! -->
@@ -1255,7 +1263,7 @@ under the License.
             <zipfileset dir="${ooxml.lib}" prefix="${zipdir}/ooxml-lib">
               <include name="dom4j-*.jar"/>
               <include name="stax-api-*.jar"/>
-              <include name="xmlbeans-*.jar"/>
+              <include name="xmlbeans-2.6*.jar"/>
             </zipfileset>
             <zipfileset dir="${dist.dir}" prefix="${zipdir}">
                 <patternset refid="bin.dist.jars"/>
@@ -1284,7 +1292,7 @@ under the License.
             <tarfileset dir="${ooxml.lib}" prefix="${zipdir}/ooxml-lib">
               <include name="dom4j-*.jar"/>
               <include name="stax-api-*.jar"/>
-              <include name="xmlbeans-*.jar"/>
+              <include name="xmlbeans-2.6*.jar"/>
             </tarfileset>
             <tarfileset dir="${build.site}" prefix="${zipdir}/docs"/>
             <tarfileset dir="${dist.dir}" prefix="${zipdir}">

@@ -20,7 +20,7 @@
 	<classpathentry kind="lib" path="lib/log4j-1.2.13.jar"/>
 	<classpathentry kind="lib" path="ooxml-lib/dom4j-1.6.1.jar"/>
 	<classpathentry kind="lib" path="ooxml-lib/stax-api-1.0.1.jar"/>
-	<classpathentry kind="lib" path="ooxml-lib/xmlbeans-2.3.0.jar"/>
+	<classpathentry kind="lib" path="ooxml-lib/xmlbeans-2.6.0.jar"/>
 	<classpathentry kind="lib" path="lib/hamcrest-core-1.3.jar"/>
 	<classpathentry kind="lib" path="lib/junit-4.11.jar"/>
 	<classpathentry kind="lib" path="ooxml-lib/ooxml-schemas-1.1.jar" sourcepath="ooxml-lib/ooxml-schemas-src-1.1.jar"/>

@@ -62,7 +62,7 @@
     <dependency>
       <groupId>org.apache.xmlbeans</groupId>
       <artifactId>xmlbeans</artifactId>
-      <version>2.3.0</version>
+      <version>2.6.0</version>
     </dependency>
   </dependencies>
 </project>

@@ -23,8 +23,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.net.URISyntaxException;
 import java.util.Iterator;
 import java.util.List;
-import java.util.TreeMap;
 import java.util.Map.Entry;
+import java.util.TreeMap;
 
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
@@ -33,13 +33,13 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.PackagePart;
 import org.apache.poi.openxml4j.opc.PackagePartName;
 import org.apache.poi.openxml4j.opc.PackagingURIHelper;
+import org.apache.poi.util.SAXHelper;
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Namespace;
 import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 
 /**
  * Manage package content types ([Content_Types].xml part).
@@ -373,8 +373,7 @@ public void clearOverrideContentTypes() {
 	private void parseContentTypesFile(InputStream in)
 			throws InvalidFormatException {
 		try {
-			SAXReader xmlReader = new SAXReader();
-			Document xmlContentTypetDoc = xmlReader.read(in);
+			Document xmlContentTypetDoc = SAXHelper.readSAXDocument(in);
 
 			// Default content types
 			List defaultTypes = xmlContentTypetDoc.getRootElement().elements(

@@ -23,13 +23,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.List;
 import java.util.zip.ZipEntry;
 
-import org.dom4j.Attribute;
-import org.dom4j.Document;
-import org.dom4j.DocumentException;
-import org.dom4j.Element;
-import org.dom4j.Namespace;
-import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.opc.PackageNamespaces;
 import org.apache.poi.openxml4j.opc.PackagePart;
@@ -38,6 +31,13 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
 import org.apache.poi.openxml4j.opc.internal.PartUnmarshaller;
 import org.apache.poi.openxml4j.opc.internal.ZipHelper;
+import org.apache.poi.util.SAXHelper;
+import org.dom4j.Attribute;
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.Element;
+import org.dom4j.Namespace;
+import org.dom4j.QName;
 
 /**
  * Package properties unmarshaller.
@@ -118,10 +118,9 @@ public PackagePart unmarshall(UnmarshallContext context, InputStream in)
 						"Error while trying to get the part input stream.");
 		}
 
-		SAXReader xmlReader = new SAXReader();
 		Document xmlDoc;
 		try {
-			xmlDoc = xmlReader.read(in);
+			xmlDoc = SAXHelper.readSAXDocument(in);
 
 			/* Check OPC compliance */
 

@@ -22,10 +22,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.Iterator;
 import java.util.TreeMap;
 
+import org.apache.poi.util.SAXHelper;
 import org.dom4j.Attribute;
 import org.dom4j.Document;
 import org.dom4j.Element;
-import org.dom4j.io.SAXReader;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
 import org.apache.poi.util.POILogger;
@@ -298,21 +298,19 @@ public int size() {
 		return relationshipsByID.values().size();
 	}
 
-	/**
-	 * Parse the relationship part and add all relationship in this collection.
-	 *
-	 * @param relPart
-	 *            The package part to parse.
-	 * @throws InvalidFormatException
-	 *             Throws if the relationship part is invalid.
-	 */
-	private void parseRelationshipsPart(PackagePart relPart)
-			throws InvalidFormatException {
-		try {
-			SAXReader reader = new SAXReader();
-			logger.log(POILogger.DEBUG, "Parsing relationship: " + relPart.getPartName());
-			Document xmlRelationshipsDoc = reader
-					.read(relPart.getInputStream());
+    /**
+     * Parse the relationship part and add all relationship in this collection.
+     *
+     * @param relPart
+     *            The package part to parse.
+     * @throws InvalidFormatException
+     *             Throws if the relationship part is invalid.
+     */
+    private void parseRelationshipsPart(PackagePart relPart)
+            throws InvalidFormatException {
+        try {
+            logger.log(POILogger.DEBUG, "Parsing relationship: " + relPart.getPartName());
+            Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
 
 			// Browse default types
 			Element root = xmlRelationshipsDoc.getRootElement();

@@ -34,6 +34,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.PackageRelationshipCollection;
 import org.apache.poi.poifs.common.POIFSConstants;
 import org.apache.poi.util.IOUtils;
+import org.apache.xmlbeans.impl.common.SystemCache;
 
 public abstract class POIXMLDocument extends POIXMLDocumentPart{
     public static final String DOCUMENT_CREATOR = "Apache POI";
@@ -55,6 +56,11 @@ public abstract class POIXMLDocument extends POIXMLDocumentPart{
     protected POIXMLDocument(OPCPackage pkg) {
         super(pkg);
         this.pkg = pkg;
+        
+        // Workaround for XMLBEANS-512 - ensure that when we parse
+        //  the file, we start with a fresh XML Parser each time,
+        //  and avoid the risk of getting a SaxHandler that's in error
+        SystemCache.get().setSaxLoader(null);
     }
 
     /**

@@ -0,0 +1,92 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+package org.apache.poi.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringReader;
+import java.lang.reflect.Method;
+
+import javax.xml.XMLConstants;
+
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.io.SAXReader;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+
+/**
+ * Provides handy methods for working with SAX parsers and readers
+ */
+public final class SAXHelper {
+    private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
+            
+    /**
+     * Creates a new SAX Reader, with sensible defaults
+     */
+    public static SAXReader getSAXReader() {
+        SAXReader xmlReader = new SAXReader();
+        xmlReader.setValidation(false);
+        xmlReader.setEntityResolver(new EntityResolver() {
+            public InputSource resolveEntity(String publicId, String systemId)
+                    throws SAXException, IOException {
+                return new InputSource(new StringReader(""));
+            }
+        });
+        trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySetXercesSecurityManager(xmlReader);
+        return xmlReader;
+    }
+    private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
+        try {
+            xmlReader.setFeature(feature, enabled);
+        } catch (Exception e) {
+            logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
+        }
+    }
+    private static void trySetXercesSecurityManager(SAXReader xmlReader) {
+        // Try built-in JVM one first, standalone if not
+        for (String securityManagerClassName : new String[] {
+                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+                "org.apache.xerces.util.SecurityManager"
+        }) {
+            try {
+                Object mgr = Class.forName(securityManagerClassName).newInstance();
+                Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+                setLimit.invoke(mgr, 4096);
+                xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+                // Stop once one can be setup without error
+                return;
+            } catch (Exception e) {
+                logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
+            }
+        }
+    }
+
+    /**
+     * Parses the given stream via the default (sensible)
+     * SAX Reader
+     * @param inp Stream to read the XML data from
+     * @return the SAX processed Document 
+     */
+    public static Document readSAXDocument(InputStream inp) throws DocumentException {
+        return getSAXReader().read(inp);
+    }
+}

@@ -20,16 +20,20 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
+import org.apache.poi.POIXMLDocumentPart;
+import org.apache.poi.openxml4j.opc.PackagePart;
+import org.apache.poi.openxml4j.opc.PackageRelationship;
 import org.apache.xmlbeans.XmlException;
 import org.apache.xmlbeans.XmlOptions;
-import org.apache.poi.POIXMLDocumentPart;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTRst;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTSst;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.SstDocument;
-import org.apache.poi.openxml4j.opc.PackagePart;
-import org.apache.poi.openxml4j.opc.PackageRelationship;
 
 
 /**

@@ -21,6 +21,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -33,8 +34,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
 import org.apache.poi.openxml4j.util.Nullable;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
 
 public final class TestPackageCoreProperties extends TestCase {
     private static final POILogger logger = POILogFactory.getLogger(TestPackageCoreProperties.class);
@@ -197,4 +198,29 @@ public void testGetPropertiesLO() throws Exception {
         props2.setTitleProperty("Bug 51444 fixed");
     }
 
+    public void testEntitiesInCoreProps_56164() throws Exception {
+        InputStream is = OpenXML4JTestDataSamples.openSampleStream("CorePropertiesHasEntities.ooxml");
+        OPCPackage p = OPCPackage.open(is);
+        is.close();
+
+        // Should have 3 root relationships
+        boolean foundDocRel = false, foundCorePropRel = false, foundExtPropRel = false;
+        for (PackageRelationship pr : p.getRelationships()) {
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_DOCUMENT))
+                foundDocRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_PROPERTIES))
+                foundCorePropRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.EXTENDED_PROPERTIES))
+                foundExtPropRel = true;
+        }
+        assertTrue("Core/Doc Relationship not found in " + p.getRelationships(), foundDocRel);
+        assertTrue("Core Props Relationship not found in " + p.getRelationships(), foundCorePropRel);
+        assertTrue("Ext Props Relationship not found in " + p.getRelationships(), foundExtPropRel);
+
+        // Get the Core Properties
+        PackagePropertiesPart props = (PackagePropertiesPart)p.getPackageProperties();
+        
+        // Check
+        assertEquals("Stefan Kopf", props.getCreatorProperty().getValue());
+    }
 }

@@ -17,10 +17,19 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 package org.apache.poi.openxml4j.opc;
 
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.lang.reflect.Field;
 import java.net.URI;
-import java.util.*;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.TreeMap;
 import java.util.regex.Pattern;
 
 import junit.framework.TestCase;
@@ -31,15 +40,15 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.internal.ContentTypeManager;
 import org.apache.poi.openxml4j.opc.internal.FileHelper;
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
-import org.apache.poi.util.TempFile;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+import org.apache.poi.util.SAXHelper;
+import org.apache.poi.util.TempFile;
 import org.dom4j.Document;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Namespace;
 import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 
 public final class TestPackage extends TestCase {
     private static final POILogger logger = POILogFactory.getLogger(TestPackage.class);
@@ -211,9 +220,8 @@ public void testCreatePackageWithCoreDocument() throws Exception {
     private void assertMSCompatibility(OPCPackage pkg) throws Exception {
         PackagePartName relName = PackagingURIHelper.createPartName(PackageRelationship.getContainerPartRelationship());
         PackagePart relPart = pkg.getPart(relName);
-        SAXReader reader = new SAXReader();
-        Document xmlRelationshipsDoc = reader
-                .read(relPart.getInputStream());
+
+        Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
 
         Element root = xmlRelationshipsDoc.getRootElement();
         for (Iterator i = root

@@ -17,15 +17,18 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 package org.apache.poi.openxml4j.opc;
 
-import java.io.*;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.net.URI;
 import java.util.regex.Pattern;
 
 import junit.framework.TestCase;
 
 import org.apache.poi.openxml4j.OpenXML4JTestDataSamples;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+import org.apache.poi.xwpf.usermodel.XWPFRelation;
 
 
 public class TestRelationships extends TestCase {
@@ -309,6 +312,7 @@ public void assert_50154(OPCPackage pkg) throws Exception {
         URI rel1 = parent.relativize(rId1.getTargetURI());
         URI rel11 = PackagingURIHelper.relativizeURI(drawingPart.getPartName().getURI(), rId1.getTargetURI());
         assertEquals("'Another Sheet'!A1", rel1.getFragment());
+        assertEquals("'Another Sheet'!A1", rel11.getFragment());
 
         PackageRelationship rId2 = drawingPart.getRelationship("rId2");
         URI rel2 = PackagingURIHelper.relativizeURI(drawingPart.getPartName().getURI(), rId2.getTargetURI());
@@ -390,6 +394,40 @@ public void testTrailingSpacesInURI_53282() throws Exception {
         targetUri = rId1.getTargetURI();
         assertEquals("mailto:nobody@nowhere.uk%C2%A0", targetUri.toASCIIString());
         assertEquals("nobody@nowhere.uk\u00A0", targetUri.getSchemeSpecificPart());
+    }
+    
+    public void testEntitiesInRels_56164() throws Exception {
+        InputStream is = OpenXML4JTestDataSamples.openSampleStream("PackageRelsHasEntities.ooxml");
+        OPCPackage p = OPCPackage.open(is);
+        is.close();
 
+        // Should have 3 root relationships
+        boolean foundDocRel = false, foundCorePropRel = false, foundExtPropRel = false;
+        for (PackageRelationship pr : p.getRelationships()) {
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_DOCUMENT))
+                foundDocRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_PROPERTIES))
+                foundCorePropRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.EXTENDED_PROPERTIES))
+                foundExtPropRel = true;
+        }
+        assertTrue("Core/Doc Relationship not found in " + p.getRelationships(), foundDocRel);
+        assertTrue("Core Props Relationship not found in " + p.getRelationships(), foundCorePropRel);
+        assertTrue("Ext Props Relationship not found in " + p.getRelationships(), foundExtPropRel);
+        
+        // Should have normal work parts
+        boolean foundCoreProps = false, foundDocument = false;
+        for (PackagePart part : p.getParts()) {
+            if (part.getPartName().toString().equals("/docProps/core.xml")) {
+                assertEquals(ContentTypes.CORE_PROPERTIES_PART, part.getContentType());
+                foundCoreProps = true;
+            }
+            if (part.getPartName().toString().equals("/word/document.xml")) {
+                assertEquals(XWPFRelation.DOCUMENT.getContentType(), part.getContentType());
+                foundDocument = true;
+            }
+        }
+        assertTrue("Core not found in " + p.getParts(), foundCoreProps);
+        assertTrue("Document not found in " + p.getParts(), foundDocument);
     }
 }

@@ -32,6 +32,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.EncryptedDocumentException;
 import org.apache.poi.POIDataSamples;
 import org.apache.poi.POIXMLDocumentPart;
+import org.apache.poi.POIXMLException;
+import org.apache.poi.POIXMLProperties;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.openxml4j.opc.OPCPackage;
 import org.apache.poi.openxml4j.opc.PackagePart;
@@ -1440,4 +1442,37 @@ public void bug55692() throws Exception {
     		fail("Should've raised a EncryptedDocumentException error");
     	} catch (EncryptedDocumentException e) {}
     }
+
+    @Test
+    public void bug54764() throws Exception {
+        OPCPackage pkg = XSSFTestDataSamples.openSamplePackage("54764.xlsx");
+        
+        // Check the core properties - will be found but empty, due
+        //  to the expansion being too much to be considered valid
+        POIXMLProperties props = new POIXMLProperties(pkg);
+        assertEquals(null, props.getCoreProperties().getTitle());
+        assertEquals(null, props.getCoreProperties().getSubject());
+        assertEquals(null, props.getCoreProperties().getDescription());
+        
+        // Now check the spreadsheet itself
+        try {
+            new XSSFWorkbook(pkg);
+            fail("Should fail as too much expansion occurs");
+        } catch(POIXMLException e) {
+            // Expected
+        }
+        
+        // Try with one with the entities in the Content Types
+        try {
+            XSSFTestDataSamples.openSamplePackage("54764-2.xlsx");
+            fail("Should fail as too much expansion occurs");
+        } catch(Exception e) {
+            // Expected
+        }
+        
+        // Check we can still parse valid files after all that
+        Workbook wb = XSSFTestDataSamples.openSampleWorkbook("sample.xlsx");
+        assertEquals(3, wb.getNumberOfSheets());
+    }
+    
 }

@@ -20,6 +20,9 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringReader;
+import java.lang.reflect.Method;
+
+import javax.xml.XMLConstants;
 
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
@@ -33,20 +36,50 @@ Licensed to the Apache Software Foundation (ASF) under one or more
  * Provides handy methods for working with SAX parsers and readers
  */
 public final class SAXHelper {
+    private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
+            
     /**
      * Creates a new SAX Reader, with sensible defaults
      */
     public static SAXReader getSAXReader() {
         SAXReader xmlReader = new SAXReader();
+        xmlReader.setValidation(false);
         xmlReader.setEntityResolver(new EntityResolver() {
             public InputSource resolveEntity(String publicId, String systemId)
                     throws SAXException, IOException {
                 return new InputSource(new StringReader(""));
             }
         });
+        trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySetXercesSecurityManager(xmlReader);
         return xmlReader;
     }
-    
+    private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
+        try {
+            xmlReader.setFeature(feature, enabled);
+        } catch (Exception e) {
+            logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
+        }
+    }
+    private static void trySetXercesSecurityManager(SAXReader xmlReader) {
+        // Try built-in JVM one first, standalone if not
+        for (String securityManagerClassName : new String[] {
+                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+                "org.apache.xerces.util.SecurityManager"
+        }) {
+            try {
+                Object mgr = Class.forName(securityManagerClassName).newInstance();
+                Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+                setLimit.invoke(mgr, 4096);
+                xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+                // Stop once one can be setup without error
+                return;
+            } catch (Exception e) {
+                logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
+            }
+        }
+    }
+
     /**
      * Parses the given stream via the default (sensible)
      * SAX Reader

@@ -38,6 +38,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.EncryptedDocumentException;
 import org.apache.poi.POIDataSamples;
 import org.apache.poi.POIXMLDocumentPart;
+import org.apache.poi.POIXMLProperties;
 import org.apache.poi.hssf.HSSFTestDataSamples;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.openxml4j.opc.OPCPackage;
@@ -1846,6 +1847,24 @@ public void bug56502() throws Exception {
         assertEquals("A4", cRef.getCellFormula());
     }
     
+    @Test
+    public void bug54764() throws Exception {
+        OPCPackage pkg = XSSFTestDataSamples.openSamplePackage("54764.xlsx");
+        
+        // Check the core properties - will be found but empty, due
+        //  to the expansion being too much to be considered valid
+        POIXMLProperties props = new POIXMLProperties(pkg);
+        assertEquals(null, props.getCoreProperties().getTitle());
+        assertEquals(null, props.getCoreProperties().getSubject());
+        assertEquals(null, props.getCoreProperties().getDescription());
+        
+        // Now check the spreadsheet itself
+        // TODO Fix then enable
+//        XSSFWorkbook wb = new XSSFWorkbook(pkg);
+//        XSSFSheet s = wb.getSheetAt(0);
+        // TODO Check
+    }
+    
     /**
      * .xlsb files are not supported, but we should generate a helpful
      *  error message if given one

@@ -21,6 +21,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -33,8 +34,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
 import org.apache.poi.openxml4j.util.Nullable;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
 
 public final class TestPackageCoreProperties extends TestCase {
     private static final POILogger logger = POILogFactory.getLogger(TestPackageCoreProperties.class);
@@ -180,6 +181,9 @@ public void testCoreProperties_bug51374() throws Exception {
         props.setModifiedProperty(strDate);
         assertEquals(strDate, props.getModifiedPropertyString());
         assertEquals(date, props.getModifiedProperty().getValue());
+        
+        // Tidy
+        pkg.close();
     }
 
     public void testGetPropertiesLO() throws Exception {
@@ -197,4 +201,29 @@ public void testGetPropertiesLO() throws Exception {
         props2.setTitleProperty("Bug 51444 fixed");
     }
 
+    public void testEntitiesInCoreProps_56164() throws Exception {
+        InputStream is = OpenXML4JTestDataSamples.openSampleStream("CorePropertiesHasEntities.ooxml");
+        OPCPackage p = OPCPackage.open(is);
+        is.close();
+
+        // Should have 3 root relationships
+        boolean foundDocRel = false, foundCorePropRel = false, foundExtPropRel = false;
+        for (PackageRelationship pr : p.getRelationships()) {
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_DOCUMENT))
+                foundDocRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_PROPERTIES))
+                foundCorePropRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.EXTENDED_PROPERTIES))
+                foundExtPropRel = true;
+        }
+        assertTrue("Core/Doc Relationship not found in " + p.getRelationships(), foundDocRel);
+        assertTrue("Core Props Relationship not found in " + p.getRelationships(), foundCorePropRel);
+        assertTrue("Ext Props Relationship not found in " + p.getRelationships(), foundExtPropRel);
+
+        // Get the Core Properties
+        PackagePropertiesPart props = (PackagePropertiesPart)p.getPackageProperties();
+        
+        // Check
+        assertEquals("Stefan Kopf", props.getCreatorProperty().getValue());
+    }
 }

@@ -17,15 +17,18 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 package org.apache.poi.openxml4j.opc;
 
-import java.io.*;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.net.URI;
 import java.util.regex.Pattern;
 
 import junit.framework.TestCase;
 
 import org.apache.poi.openxml4j.OpenXML4JTestDataSamples;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+import org.apache.poi.xwpf.usermodel.XWPFRelation;
 
 
 public class TestRelationships extends TestCase {
@@ -309,6 +312,7 @@ public void assert_50154(OPCPackage pkg) throws Exception {
         URI rel1 = parent.relativize(rId1.getTargetURI());
         URI rel11 = PackagingURIHelper.relativizeURI(drawingPart.getPartName().getURI(), rId1.getTargetURI());
         assertEquals("'Another Sheet'!A1", rel1.getFragment());
+        assertEquals("'Another Sheet'!A1", rel11.getFragment());
 
         PackageRelationship rId2 = drawingPart.getRelationship("rId2");
         URI rel2 = PackagingURIHelper.relativizeURI(drawingPart.getPartName().getURI(), rId2.getTargetURI());
@@ -390,6 +394,45 @@ public void testTrailingSpacesInURI_53282() throws Exception {
         targetUri = rId1.getTargetURI();
         assertEquals("mailto:nobody@nowhere.uk%C2%A0", targetUri.toASCIIString());
         assertEquals("nobody@nowhere.uk\u00A0", targetUri.getSchemeSpecificPart());
+    }
+    
+    public void testEntitiesInRels_56164() throws Exception {
+        InputStream is = OpenXML4JTestDataSamples.openSampleStream("PackageRelsHasEntities.ooxml");
+        OPCPackage p = OPCPackage.open(is);
+        is.close();
 
+        // Should have 3 root relationships
+        boolean foundDocRel = false, foundCorePropRel = false, foundExtPropRel = false;
+        for (PackageRelationship pr : p.getRelationships()) {
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_DOCUMENT))
+                foundDocRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.CORE_PROPERTIES))
+                foundCorePropRel = true;
+            if (pr.getRelationshipType().equals(PackageRelationshipTypes.EXTENDED_PROPERTIES))
+                foundExtPropRel = true;
+        }
+        assertTrue("Core/Doc Relationship not found in " + p.getRelationships(), foundDocRel);
+        assertTrue("Core Props Relationship not found in " + p.getRelationships(), foundCorePropRel);
+        assertTrue("Ext Props Relationship not found in " + p.getRelationships(), foundExtPropRel);
+        
+        // Should have normal work parts
+        boolean foundCoreProps = false, foundDocument = false, foundTheme1 = false;
+        for (PackagePart part : p.getParts()) {
+            if (part.getPartName().toString().equals("/docProps/core.xml")) {
+                assertEquals(ContentTypes.CORE_PROPERTIES_PART, part.getContentType());
+                foundCoreProps = true;
+            }
+            if (part.getPartName().toString().equals("/word/document.xml")) {
+                assertEquals(XWPFRelation.DOCUMENT.getContentType(), part.getContentType());
+                foundDocument = true;
+            }
+            if (part.getPartName().toString().equals("/word/theme/theme1.xml")) {
+                assertEquals(XWPFRelation.THEME.getContentType(), part.getContentType());
+                foundTheme1 = true;
+            }
+        }
+        assertTrue("Core not found in " + p.getParts(), foundCoreProps);
+        assertTrue("Document not found in " + p.getParts(), foundDocument);
+        assertTrue("Theme1 not found in " + p.getParts(), foundTheme1);
     }
 }

@@ -23,8 +23,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.net.URISyntaxException;
 import java.util.Iterator;
 import java.util.List;
-import java.util.TreeMap;
 import java.util.Map.Entry;
+import java.util.TreeMap;
 
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
@@ -33,13 +33,13 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.PackagePart;
 import org.apache.poi.openxml4j.opc.PackagePartName;
 import org.apache.poi.openxml4j.opc.PackagingURIHelper;
+import org.apache.poi.util.SAXHelper;
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Namespace;
 import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 
 /**
  * Manage package content types ([Content_Types].xml part).
@@ -373,8 +373,7 @@ public void clearOverrideContentTypes() {
 	private void parseContentTypesFile(InputStream in)
 			throws InvalidFormatException {
 		try {
-			SAXReader xmlReader = new SAXReader();
-			Document xmlContentTypetDoc = xmlReader.read(in);
+			Document xmlContentTypetDoc = SAXHelper.readSAXDocument(in);
 
 			// Default content types
 			List defaultTypes = xmlContentTypetDoc.getRootElement().elements(

@@ -23,13 +23,6 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.List;
 import java.util.zip.ZipEntry;
 
-import org.dom4j.Attribute;
-import org.dom4j.Document;
-import org.dom4j.DocumentException;
-import org.dom4j.Element;
-import org.dom4j.Namespace;
-import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.apache.poi.openxml4j.opc.PackageNamespaces;
 import org.apache.poi.openxml4j.opc.PackagePart;
@@ -38,6 +31,13 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
 import org.apache.poi.openxml4j.opc.internal.PartUnmarshaller;
 import org.apache.poi.openxml4j.opc.internal.ZipHelper;
+import org.apache.poi.util.SAXHelper;
+import org.dom4j.Attribute;
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.Element;
+import org.dom4j.Namespace;
+import org.dom4j.QName;
 
 /**
  * Package properties unmarshaller.
@@ -118,10 +118,9 @@ public PackagePart unmarshall(UnmarshallContext context, InputStream in)
 						"Error while trying to get the part input stream.");
 		}
 
-		SAXReader xmlReader = new SAXReader();
 		Document xmlDoc;
 		try {
-			xmlDoc = xmlReader.read(in);
+			xmlDoc = SAXHelper.readSAXDocument(in);
 
 			/* Check OPC compliance */
 

@@ -26,10 +26,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
+import org.apache.poi.util.SAXHelper;
 import org.dom4j.Attribute;
 import org.dom4j.Document;
 import org.dom4j.Element;
-import org.dom4j.io.SAXReader;
 
 /**
  * Represents a collection of PackageRelationship elements that are owned by a
@@ -309,10 +309,8 @@ public int size() {
     private void parseRelationshipsPart(PackagePart relPart)
             throws InvalidFormatException {
         try {
-            SAXReader reader = new SAXReader();
             logger.log(POILogger.DEBUG, "Parsing relationship: " + relPart.getPartName());
-            Document xmlRelationshipsDoc = reader
-                    .read(relPart.getInputStream());
+            Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
 
             // Browse default types
             Element root = xmlRelationshipsDoc.getRootElement();

@@ -0,0 +1,59 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+package org.apache.poi.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringReader;
+
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.io.SAXReader;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+
+/**
+ * Provides handy methods for working with SAX parsers and readers
+ */
+public final class SAXHelper {
+    /**
+     * Creates a new SAX Reader, with sensible defaults
+     */
+    public static SAXReader getSAXReader() {
+        SAXReader xmlReader = new SAXReader();
+        xmlReader.setEntityResolver(new EntityResolver() {
+            public InputSource resolveEntity(String publicId, String systemId)
+                    throws SAXException, IOException {
+                return new InputSource(new StringReader(""));
+            }
+        });
+        return xmlReader;
+    }
+    
+    /**
+     * Parses the given stream via the default (sensible)
+     * SAX Reader
+     * @param inp Stream to read the XML data from
+     * @return the SAX processed Document 
+     */
+    public static Document readSAXDocument(InputStream inp) throws DocumentException {
+        return getSAXReader().read(inp);
+    }
+}

@@ -17,10 +17,19 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 package org.apache.poi.openxml4j.opc;
 
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.lang.reflect.Field;
 import java.net.URI;
-import java.util.*;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.TreeMap;
 import java.util.regex.Pattern;
 
 import junit.framework.TestCase;
@@ -31,15 +40,15 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.internal.ContentTypeManager;
 import org.apache.poi.openxml4j.opc.internal.FileHelper;
 import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
-import org.apache.poi.util.TempFile;
-import org.apache.poi.util.POILogger;
 import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+import org.apache.poi.util.SAXHelper;
+import org.apache.poi.util.TempFile;
 import org.dom4j.Document;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Namespace;
 import org.dom4j.QName;
-import org.dom4j.io.SAXReader;
 
 public final class TestPackage extends TestCase {
     private static final POILogger logger = POILogFactory.getLogger(TestPackage.class);
@@ -211,9 +220,8 @@ public void testCreatePackageWithCoreDocument() throws Exception {
     private void assertMSCompatibility(OPCPackage pkg) throws Exception {
         PackagePartName relName = PackagingURIHelper.createPartName(PackageRelationship.getContainerPartRelationship());
         PackagePart relPart = pkg.getPart(relName);
-        SAXReader reader = new SAXReader();
-        Document xmlRelationshipsDoc = reader
-                .read(relPart.getInputStream());
+
+        Document xmlRelationshipsDoc = SAXHelper.readSAXDocument(relPart.getInputStream());
 
         Element root = xmlRelationshipsDoc.getRootElement();
         for (Iterator i = root