[dwdunwetter] Handle possible XXE injection (#15466)

XMLInputFactory: Disable properties IS_SUPPORTING_EXTERNAL_ENTITIES and
SUPPORT_DTD which allow injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>

bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java

@@ -119,6 +119,8 @@ public class DwdWarningsData {
 
         try {
             XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+            inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
             XMLStreamReader reader = inputFactory.createXMLStreamReader(new StringReader(rawData));
             XMLEventReader eventReader = inputFactory.createXMLEventReader(reader);
             DwdWarningData gemeindeData = new DwdWarningData();