HTMLCleaner should use a securely configured document builder

The document builder that is used by HTMLCleaner currently isn't configured in any way. While this may be safe as we control the DTD, it would still be better to configure it directly. Further, we recently noticed in a unit test that even with a known DTD, the document builder will try downloading this DTD without further configuration. From what I understand, this shouldn't happen in the actual production code as we never parse any content with this document builder but we should better be safe and configure the document builder appropriately.

I don't expect any behavior changes from fixing this, I'm opening this issue mainly to document the change and to have something to reference in case it should turn out that I was wrong and it makes a difference.