diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py
index 5051e62..01ca00f 100644
--- a/digid_eherkenning/saml2/eherkenning.py
+++ b/digid_eherkenning/saml2/eherkenning.py
@@ -7,10 +7,9 @@
 from django.urls import reverse
 from django.utils import timezone
 
-from defusedxml.lxml import tostring
 from furl.furl import furl
 from lxml.builder import ElementMaker
-from lxml.etree import Element
+from lxml.etree import Element, tostring
 from OpenSSL import crypto
 
 from ..choices import AssuranceLevels
diff --git a/digid_eherkenning/utils.py b/digid_eherkenning/utils.py
index a86c191..168eb0c 100644
--- a/digid_eherkenning/utils.py
+++ b/digid_eherkenning/utils.py
@@ -2,9 +2,10 @@
 
 from django.conf import settings
 
-from defusedxml.lxml import parse
 from lxml import etree
 
+from .xml import parse
+
 
 def get_client_ip(request):
     x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
diff --git a/digid_eherkenning/xml.py b/digid_eherkenning/xml.py
new file mode 100644
index 0000000..e6470c9
--- /dev/null
+++ b/digid_eherkenning/xml.py
@@ -0,0 +1,17 @@
+"""
+XML parsing with DTD/Entities blocking.
+
+Inspired by https://github.com/mvantellingen/python-zeep/pull/1179/ as their solution
+for the deprecated defusedxml.lxml module and the defaults applied in defusedxml.lxml.
+"""
+from lxml.etree import XMLParser, parse as _parse
+
+
+def parse(source):
+    """
+    Parse an LXML etree from source without resolving entities.
+
+    Resolving entities is a security risk, which is why we disable it.
+    """
+    parser = XMLParser(resolve_entities=False)
+    return _parse(source, parser)