Low-key wonder if there's a hall of shame for XML, JSON-LD, maybe YAML, … libraries that grab external ressources by default.
Discussion
If someone made one maybe it would be more obvious when researching which libraries to use...
It's hilarious how stupid it is they left this enabled by default. Afraid of breaking backwards compatibility or something?
Probably worth our time to see if we can stir up some discussion on this upstream
And it's kind of ironic that one of the reasons Pleroma doesn't adopt JSON-LD is due to the external entities issue among other broken designs of JSON-LD only to get hit via a worse version right in the XML library that's part of Erlang, even though XML doesn't requires the bad design in question.