xmerl allows XXE by default

Hello,

xmerl is possibly the most mature XML parsing library in the Erlang ecosystem, but unfortunately it permits XXE vulnerabilities by default. Can this be disabled so everyone writing XML parsing code doesn't have to provide a custom fetch_fun for xmerl_scan or setting {allow_entities, False} to close the security hole?

This also affects some downstream consumers, including some wrappers for Elixir