AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values. An application is vulnerable only when it uses untrusted XML input with one of the following methods: isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter