It seems that mod_dontdothat creates an Expat XML parser without inhibiting XML entity expansion for the internal DTD subset. This might cause a denial-of-service issue when parsing client-submitted XML.
There are other pieces of code in Subversion which also create Expat parsers this way, but they are in the client code, so there is less exposure. May I file an issue for this? Thanks, Florian
