Avoid XXE attacks by default (expand_entities and load_ext_dtd should default to false)

[timretout]

This is a first pass at disabling XXE attacks by default, bringing XML::LibXML in line with the libxml2 upstream defaults, which were changed in 2013. The original libxml2 CVEs are here: https://www.openwall.com/lists/oss-security/2013/02/22/3

OWASP cheatsheet on libxml2 usage recommends disabling those options: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxml2

Related XML::LibXML bug: https://rt.cpan.org/Public/Bug/Display.html?id=118032

I have included a test to show that this doesn't affect expansions such as & as mentioned in that bug report.

[timretout]

I think some doc fixes are still required...

[pali]

Should not be also disabled network access by default, for same security related issues?

[shlomif]

merged, thanks.

[pali]

So network access is still enabled or disabled by default?

[pali]

I opened a new security issue for it: https://github.com/shlomif/perl-XML-LibXML/issues/43

[thibaultduponchelle]

I think some doc fixes are still required...

I think the doc update required is fixed by #48