On Thursday, May 17, 2018, Serhiy Storchaka <storchaka@gmail.com> wrote:
[...]

I'm trying to figure out some intentions and fix possible bugs in the xml package. 
 
defusedxml
https://pypi.org/project/defusedxml/

> XML bomb protection for Python stdlib modules

https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities

"""
Best practices
- Don’t allow DTDs
- Don’t expand entities
- Don’t resolve externals
- Limit parse depth
- Limit total input size
- Limit parse time
- Favor a SAX or iterparse-like parser for potential large data
- Validate and properly quote arguments to XSL transformations and XPath queries
- Don’t use XPath expression from untrusted sources
- Don’t apply XSL transformations that come untrusted sources
"""

https://github.com/tiran/defusedxml


The history of all commits could help.

_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com