disable DTD processing by default

Author: mythz

src/ServiceStack.Text/XmlSerializer.cs

@@ -19,6 +19,9 @@ public XmlSerializer(bool omitXmlDeclaration = false, int maxCharsInDocument = 1
             XWSettings.Encoding = PclExport.Instance.GetUTF8Encoding(false);
             XWSettings.OmitXmlDeclaration = omitXmlDeclaration;
             XRSettings.MaxCharactersInDocument = maxCharsInDocument;
+            
+            //Prevent XML bombs by default: https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
+            XRSettings.DtdProcessing = DtdProcessing.Prohibit;
         }
 
         private static object Deserialize(string xml, Type type)
@@ -86,7 +89,7 @@ public static string SerializeToString<T>(T from)
             }
             catch (Exception ex)
             {
-                throw new SerializationException(string.Format("Error serializing object of type {0}", from.GetType().FullName), ex);
+                throw new SerializationException($"Error serializing object of type {@from.GetType().FullName}", ex);
             }
         }
 
@@ -102,7 +105,7 @@ public static void SerializeToWriter<T>(T value, TextWriter writer)
             }
             catch (Exception ex)
             {
-                throw new SerializationException(string.Format("Error serializing object of type {0}", value.GetType().FullName), ex);
+                throw new SerializationException($"Error serializing object of type {value.GetType().FullName}", ex);
             }
         }