jersey: XXE via parameter entities not disabled by the jersey SAX parser