Index: /trunk/src/org/openstreetmap/josm/data/preferences/PreferencesReader.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/data/preferences/PreferencesReader.java	(revision 14440)
+++ /trunk/src/org/openstreetmap/josm/data/preferences/PreferencesReader.java	(revision 14441)
@@ -26,5 +26,4 @@
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
-import javax.xml.validation.Validator;
 
 import org.openstreetmap.josm.io.CachedFile;
@@ -97,6 +96,5 @@
         try (CachedFile cf = new CachedFile("resource://data/preferences.xsd"); InputStream xsdStream = cf.getInputStream()) {
             Schema schema = XmlUtils.newXmlSchemaFactory().newSchema(new StreamSource(xsdStream));
-            Validator validator = schema.newValidator();
-            validator.validate(new StreamSource(in));
+            XmlUtils.newSafeValidator(schema).validate(new StreamSource(in));
         }
     }
Index: /trunk/src/org/openstreetmap/josm/tools/OptionParser.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/tools/OptionParser.java	(revision 14440)
+++ /trunk/src/org/openstreetmap/josm/tools/OptionParser.java	(revision 14441)
@@ -64,10 +64,5 @@
     public OptionParser addFlagParameter(String optionName, Runnable handler) {
         checkOptionName(optionName);
-        availableOptions.put("--" + optionName, new AvailableOption() {
-            @Override
-            public void runFor(String parameter) {
-                handler.run();
-            }
-        });
+        availableOptions.put("--" + optionName, parameter -> handler.run());
         return this;
     }
Index: /trunk/src/org/openstreetmap/josm/tools/XmlUtils.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/tools/XmlUtils.java	(revision 14440)
+++ /trunk/src/org/openstreetmap/josm/tools/XmlUtils.java	(revision 14441)
@@ -14,6 +14,8 @@
 import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerFactory;
+import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 import javax.xml.validation.SchemaFactoryConfigurationError;
+import javax.xml.validation.Validator;
 
 import org.w3c.dom.Document;
@@ -23,4 +25,6 @@
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.helpers.DefaultHandler;
 
@@ -146,4 +150,22 @@
 
     /**
+     * Returns a new secure {@link Validator}.
+     * @param schema XML schema
+     * @return a new secure {@link Validator}
+     * @since 14441
+     */
+    public static Validator newSafeValidator(Schema schema) {
+        Validator validator = schema.newValidator();
+        try {
+            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
+            // All implementations that implement JAXP 1.5 or newer are required to support these two properties
+            Logging.trace(e);
+        }
+        return validator;
+    }
+
+    /**
      * Get the first child element
      * @param parent parent node