Index: trunk/src/org/openstreetmap/josm/io/OsmReader.java
===================================================================
--- trunk/src/org/openstreetmap/josm/io/OsmReader.java	(revision 10701)
+++ trunk/src/org/openstreetmap/josm/io/OsmReader.java	(revision 10702)
@@ -585,6 +585,9 @@
 
             try (InputStreamReader ir = UTFInputStreamReader.create(source)) {
-                XMLStreamReader parser = XMLInputFactory.newInstance().createXMLStreamReader(ir);
-                setParser(parser);
+                XMLInputFactory factory = XMLInputFactory.newInstance();
+                // do not try to load external entities
+                factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+                factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+                setParser(factory.createXMLStreamReader(ir));
                 parse();
             }