top | item 41523784

(no title)

metafunctor | 1 year ago

Do you mean that it is, in fact, a mistake to use defusedxml instead of lxml in Python?

discuss

slau|1 year ago

From the author themselves, 6 years ago:

> defusedxml.lxml is no longer needed and supported. Nowadays libxml2 has builtin limitation for entity expansion.

https://github.com/tiran/defusedxml/issues/25#issuecomment-4...

masklinn|1 year ago

Note that this is not enabled by default, although there is an upper bound on tree size which does limit the reach of the issue.

See https://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs for more about the tuning knobs.

metafunctor|1 year ago

OK, so the defusedxml.lxml submodule is deprecated and one should use the other APIs from defusedxml instead. That does not mean that defusedxml in it's entirety would be useless.

JonChesterfield|1 year ago

libxml2 segfaults on me whenever I give it vaguely complicated xsl templates so I'm doubtful about how effective that handling will be.

masklinn|1 year ago

If you’re trying to use it for lxml then yes, it was only ever experimental and has been deprecated (it also failed to define some interfaces correctly causing issues).

If you’re using it over the stdlib then no.