usask-rc
commented
7 years ago More reading: https://pypi.python.org/pypi/defusedxml
From my reading, lxml won't load external resources, however with a malicious XML document it could deliver the contents of a local file to an attacker.
Description of problem, and the fix for it, at this URL: https://mikeknoop.com/lxml-xxe-exploit/