diff --git a/backend/src/app/http.clj b/backend/src/app/http.clj
index 65b641ea6..1b2c52516 100644
--- a/backend/src/app/http.clj
+++ b/backend/src/app/http.clj
@@ -137,7 +137,7 @@
                           [middleware/errors errors/handle]
                           [middleware/cookies]]}
 
-     ["/svg" {:post svgparse}]
+     ["/svg/parse" {:post svgparse}]
      ["/feedback" {:middleware [(:middleware session)]
                    :post feedback}]
 
diff --git a/backend/src/app/svgparse.clj b/backend/src/app/svgparse.clj
index a781d4620..0dd3621f9 100644
--- a/backend/src/app/svgparse.clj
+++ b/backend/src/app/svgparse.clj
@@ -12,6 +12,7 @@
    [app.common.exceptions :as ex]
    [app.metrics :as mtx]
    [clojure.spec.alpha :as s]
+   [clojure.tools.logging :as log]
    [clojure.xml :as xml]
    [integrant.core :as ig])
   (:import
@@ -45,14 +46,24 @@
   {:status 200
    :body (process-request body)})
 
+(defn secure-factory
+  [s ch]
+  (.. (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+        (.setFeature javax.xml.XMLConstants/FEATURE_SECURE_PROCESSING true)
+        (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
+      (newSAXParser)
+      (parse s ch)))
+
 (defn parse
   [data]
   (try
     (with-open [istream (IOUtils/toInputStream data "UTF-8")]
-      (xml/parse istream))
-    (catch Exception _e
+      (xml/parse istream secure-factory))
+    (catch Exception e
+      (log/warnf "error on processing svg: %s" (ex-message e))
       (ex/raise :type :validation
-                :code :invalid-svg-file))))
+                :code :invalid-svg-file
+                :cause e))))
 
 (defn process-request
   [body]
diff --git a/frontend/src/app/main/data/workspace/persistence.cljs b/frontend/src/app/main/data/workspace/persistence.cljs
index 49eaf530b..8fec68826 100644
--- a/frontend/src/app/main/data/workspace/persistence.cljs
+++ b/frontend/src/app/main/data/workspace/persistence.cljs
@@ -396,7 +396,7 @@
 
 (defn parse-svg [[name text]]
   (->> (http/send! {:method :post
-                    :uri "/api/svg"
+                    :uri "/api/svg/parse"
                     :headers {"content-type" "image/svg+xml"}
                     :body text})
        (rx/map (fn [{:keys [status body]}]
diff --git a/frontend/src/app/main/repo.cljs b/frontend/src/app/main/repo.cljs
index 2ec5b3e26..5d16f5979 100644
--- a/frontend/src/app/main/repo.cljs
+++ b/frontend/src/app/main/repo.cljs
@@ -5,7 +5,7 @@
 ;; This Source Code Form is "Incompatible With Secondary Licenses", as
 ;; defined by the Mozilla Public License, v. 2.0.
 ;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL
 
 (ns app.main.repo
   (:require