Index: trunk/test/data/dom_external_entity.xml
===================================================================
--- trunk/test/data/dom_external_entity.xml	(revision 16560)
+++ trunk/test/data/dom_external_entity.xml	(revision 16560)
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE updateProfile [
+  <!ENTITY file SYSTEM "file:///tmp/passwd">
+]>
+<root>
+    &file;
+</root>
Index: trunk/test/data/preset_external_entity.xml
===================================================================
--- trunk/test/data/preset_external_entity.xml	(revision 16560)
+++ trunk/test/data/preset_external_entity.xml	(revision 16560)
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE updateProfile [
+  <!ENTITY file SYSTEM "file:///tmp/passwd">
+]>
+<presets xmlns="http://josm.openstreetmap.de/tagging-preset-1.0">
+    &file;
+</presets>
Index: trunk/test/unit/org/openstreetmap/josm/gui/tagging/presets/TaggingPresetReaderTest.java
===================================================================
--- trunk/test/unit/org/openstreetmap/josm/gui/tagging/presets/TaggingPresetReaderTest.java	(revision 16547)
+++ trunk/test/unit/org/openstreetmap/josm/gui/tagging/presets/TaggingPresetReaderTest.java	(revision 16560)
@@ -6,4 +6,5 @@
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import java.io.IOException;
@@ -67,4 +68,19 @@
 
     /**
+     * Test external entity resolving.
+     * See #19286
+     */
+    @Test
+    public void testExternalEntityResolving() throws IOException {
+        try {
+            TaggingPresetReader.readAll(TestUtils.getTestDataRoot() + "preset_external_entity.xml", true);
+            fail("Reading a file with external entities should throw an SAXParseException!");
+        } catch (SAXException e) {
+            String expected = "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.";
+            assertEquals(expected, e.getMessage());
+        }
+    }
+
+    /**
      * Validate internal presets
      * See #9027
Index: trunk/test/unit/org/openstreetmap/josm/tools/XmlUtilsTest.java
===================================================================
--- trunk/test/unit/org/openstreetmap/josm/tools/XmlUtilsTest.java	(revision 16560)
+++ trunk/test/unit/org/openstreetmap/josm/tools/XmlUtilsTest.java	(revision 16560)
@@ -0,0 +1,78 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.tools;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.junit.Rule;
+import org.junit.Test;
+import org.openstreetmap.josm.TestUtils;
+import org.openstreetmap.josm.testutils.JOSMTestRules;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.DefaultHandler;
+
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.StringWriter;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
+/**
+ * Unit tests of {@link XmlUtils} class.
+ */
+public class XmlUtilsTest {
+
+    /**
+     * Use default, basic test rules.
+     */
+    @Rule
+    @SuppressFBWarnings(value = "URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD")
+    public JOSMTestRules rules = new JOSMTestRules();
+
+    private static final String EXPECTED = "External Entity: Failed to read external document 'passwd', " +
+            "because 'file' access is not allowed due to restriction set by the accessExternalDTD property.";
+
+    @Test
+    public void testExternalEntitiesParsingDom() throws IOException, ParserConfigurationException {
+        try {
+            final String source = TestUtils.getTestDataRoot() + "dom_external_entity.xml";
+            XmlUtils.parseSafeDOM(new FileInputStream(source));
+            fail("Parsing a document with external entities should not be allowed.");
+        } catch (SAXException e) {
+            assertEquals("External Entity: Failed to read external document 'passwd', " +
+                    "because 'file' access is not allowed due to restriction set by the accessExternalDTD property.", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExternalEntitiesTransformer() throws IOException {
+        try {
+            final String source = TestUtils.getTestDataRoot() + "dom_external_entity.xml";
+            final Transformer transformer = XmlUtils.newSafeTransformerFactory().newTransformer();
+            transformer.transform(new StreamSource(new FileInputStream(source)), new StreamResult(new StringWriter()));
+            fail("Parsing a document with external entities should not be allowed.");
+        } catch (TransformerException e) {
+            assertNotNull(e.getCause());
+            assertEquals(EXPECTED, e.getCause().getMessage());
+        }
+    }
+
+    @Test
+    public void testExternalEntitiesSaxParser() throws IOException, ParserConfigurationException {
+        try {
+            final String source = TestUtils.getTestDataRoot() + "dom_external_entity.xml";
+            final DefaultHandler handler = new DefaultHandler();
+            XmlUtils.parseSafeSAX(new InputSource(new FileInputStream(source)), handler);
+            fail("Parsing a document with external entities should not be allowed.");
+        } catch (SAXException e) {
+            String expected = "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.";
+            assertEquals(expected, e.getMessage());
+        }
+    }
+}