The DocumentHelper.parseText could be used to convert Strings to a Document Object. But the function uses SAXReader to parse XML String which is vulnerable to XML Injection. To deal with this problem, we always using setFeature function to disllow doctype and entity. However you use the SAXReader directly and do not offer any function to allow users to config those features. So I think this is a problem here and if users used DocumentHelper.parse and the string to convert was controled by user input such as GET or POST parameters, the application would be vulnerable to XML Injection.
The DocumentHelper.parseText could be used to convert Strings to a Document Object. But the function uses SAXReader to parse XML String which is vulnerable to XML Injection. To deal with this problem, we always using setFeature function to disllow doctype and entity. However you use the SAXReader directly and do not offer any function to allow users to config those features. So I think this is a problem here and if users used DocumentHelper.parse and the string to convert was controled by user input such as GET or POST parameters, the application would be vulnerable to XML Injection.