Set transformer factory attributes to improve protection against XXE

[pjfanning]

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html recommends these attributes.

Wrapped the setAttribute because some old implementations of the JAXP interfaces are liable to throw exceptions when you set attributes that they don't recognise.

Relates to #3387 - which has a new comment today

[cowtowncoder]

@pjfanning Quick question: was there no "isSupported()" method for checking support for config properties? (I think some APIs have those, others not, probably not here).
Also: is there a link to something mentioning that these are needed in addition to secure-processing flag? Just to add to comment or whatever.

I'm ok with the PR itself, just wondering. Will have another look today, merge when I have more time.

[pjfanning]

I've ended up with putting this sort of change on numerous libs. The docs about what to do are contradictory. That owasp page is regarded as the best source and the scanning tools seem to use it as their guide. I do not know of any other way to set those attributes than adding a catch. If you don't someone running in an old Application Server will hit an exception and log an issue.

[cowtowncoder]

Merged to 2.14 branch as well just in case.