Prevent "billion laughs" attack against expat: * xml/apr_xml.c (entity_declaration, default_handler): Add new handlers for expat 2.x and 1.x respectively. (apr_xml_parser_create): Install handler to prevent expansion of internal entities with expat 1.x, and to fail on an entity declaration with expat 2.x. * test/testxml.c (create_dummy_file, dump_xml): Test that predefined entities are expanded. (test_billion_laughs): New test case.