Ensure DOM parsing defaults to not expanding external entities

[cowtowncoder]

Since there were issues wrt general XML handling:

FasterXML/jackson-dataformat-xml#190

it would make sense to review smaller but relevant concers wrt DOM types that databind supports

http://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38018454#38018454

[cowtowncoder]

Looks like DOMDeserializer should disable external entity resolution:

DocumentBuilderFactory.setExpandEntityReferences(false);

it could also be possible to add alternate constructor to take in pre-configured builder factory for users that want to configure this on their own.

[cowtowncoder]

Backported in 2.6.7.4, in addition to original fix for 2.7.6.