Closed kmille closed 7 years ago
ewsterrenburg
commented
7 years ago @busbauen Since defusedxml has no equivalent of etree.Element, it cannot be used as a drop in etree replacement... Could you give some hints how to get this functionality using defusedxml?
kmille
commented
7 years ago Hm. Maybe you can/have to use _Element.
source: http://programtalk.com/vs2/python/7920/wsgidav/wsgidav/xml_tools.py/
useLxml = False try:
lxml with safe defaults
from defusedxml.lxml import etree useLxml = True _ElementType = etree._Elementexcept ImportError:
Try xml module (Python 2.5 or later) with safe defaults
from defusedxml import ElementTree as etree # defusedxml doesn't define these non-parsing related objects from xml.etree.ElementTree import Element, SubElement, tostring etree.Element = _ElementType = Element etree.SubElement = SubElement etree.tostring = tostring # print("WARNING: Could not import lxml: using xml instead (slower).") # print(" Consider installing lxml https://pypi.python.org/pypi/lxml.")
ewsterrenburg
commented
7 years ago @busbauen, thanks! That link provided the hints I needed.
Hey thanks for the lib! Unfortunately your xml parser is XXE vulnerable. Instead of xml.etree.ElementTree please use defusedxml.ElementTree. More information: https://pypi.python.org/pypi/defusedxml/0.4#defusedxml
Thank you!