[Python-Dev] The history of PyXML (original) (raw)
Wes Turner wes.turner at gmail.com
Mon May 28 23:08:24 EDT 2018
- Previous message (by thread): [Python-Dev] The history of PyXML
- Next message (by thread): [Python-Dev] Visual Studio Team Services checks on pull requests
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thursday, May 17, 2018, Serhiy Storchaka <storchaka at gmail.com> wrote:
[...]
I'm trying to figure out some intentions and fix possible bugs in the xml package.
defusedxml https://pypi.org/project/defusedxml/
XML bomb protection for Python stdlib modules
https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities
""" Best practices
- Don’t allow DTDs
- Don’t expand entities
- Don’t resolve externals
- Limit parse depth
- Limit total input size
- Limit parse time
- Favor a SAX or iterparse-like parser for potential large data
- Validate and properly quote arguments to XSL transformations and XPath queries
- Don’t use XPath expression from untrusted sources
- Don’t apply XSL transformations that come untrusted sources """
https://github.com/tiran/defusedxml
The history of all commits could help.
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes. turner%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20180528/236aff24/attachment.html>
- Previous message (by thread): [Python-Dev] The history of PyXML
- Next message (by thread): [Python-Dev] Visual Studio Team Services checks on pull requests
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]