Fix XSS, STI (with Sanitized GuiMessage) & XXE (with XmlDocumentBuilderFactory that disable DTD loading)