It's bad practice to fetch an external DTD on a server you don't control, first for security reasons, second because your application then depends on something that can go away anytime, third because it's rude to the third party.
twic is right that one should always use entity resolvers that point to local ressources and that parsers should run in a sandbox without external access.
He's also right to say that by default parsers shouldn't go fetch external resources; I think the reason is historical; entity resolvers appeared later than the parsers themselves.
twic is right that one should always use entity resolvers that point to local ressources and that parsers should run in a sandbox without external access.
He's also right to say that by default parsers shouldn't go fetch external resources; I think the reason is historical; entity resolvers appeared later than the parsers themselves.