(original) (raw)

On Thursday, May 17, 2018, Serhiy Storchaka <storchaka@gmail.com> wrote:

[...]

I'm trying to figure out some intentions and fix possible bugs in the xml package.

defusedxml

https://pypi.org/project/defusedxml/

> XML bomb protection for Python stdlib modules

https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities

"""

Best practices

- Don’t allow DTDs

- Don’t expand entities

- Don’t resolve externals

- Limit parse depth

- Limit total input size

- Limit parse time

- Favor a SAX or iterparse-like parser for potential large data

- Validate and properly quote arguments to XSL transformations and XPath queries

- Don’t use XPath expression from untrusted sources

- Don’t apply XSL transformations that come untrusted sources

"""

https://github.com/tiran/defusedxml

The history of all commits could help.

_______________________________________________

Python-Dev mailing list

Python-Dev@python.org

https://mail.python.org/mailman/listinfo/python-dev

Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com