To effectively protect internal grails parsing against XXE vulnerabilities it is necessary to set the disallow-doctype-decl feature to true and not false. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

Luis Arias · Luis Arias · commit 757fa246e804 · 2015-11-24T18:07:21.000+01:00
diff --git a/grails-bootstrap/src/main/groovy/org/codehaus/groovy/grails/io/support/IOUtils.java b/grails-bootstrap/src/main/groovy/org/codehaus/groovy/grails/io/support/IOUtils.java
@@ -367,7 +367,7 @@ private static SAXParserFactory createParserFactory() throws ParserConfiguration
             saxParserFactory.setValidating(false);
 
             try {
-                saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+                saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             } catch (Exception pce) {
                 // ignore, parser doesn't support
             }

Original file line number	Diff line number	Diff line change
`@@ -367,7 +367,7 @@ private static SAXParserFactory createParserFactory() throws ParserConfiguration`
`367`	`367`	`saxParserFactory.setValidating(false);`
`368`	`368`
`369`	`369`	`try {`
`370`		`- saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);`
	`370`	`+ saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`
`371`	`371`	`} catch (Exception pce) {`
`372`	`372`	`// ignore, parser doesn't support`
`373`	`373`	`}`