Comments (8)
tiran
commented on August 24, 2024
1
@nicostubi Are you running into any kind of bugs or problems? If yes, then please open a bug report.
I'll release 0.8.0 when I have time to verify the code with 3.13.rc1. There are minimal changes between 0.7 and 0.8, mostly documentation and infrastructure improvements.
from defusedxml.
tiran
commented on August 24, 2024
1
defusedxml is not a replacement for lxml. It's a wrapper on top of Python's stdlib xml modules to solve DoS vulnerabilities when parsing of XML from untrusted sources. There is also a lxml wrapper with some opinionated settings.
from defusedxml.
nicostubi
commented on August 24, 2024
Hello,
Will this library be regularly maintained? We are working with Python 3.11 in my company, and the latest official version (0.7) is a no go for us.
Best Regards,
Nicolas
from defusedxml.
nicostubi
commented on August 24, 2024
No, I am evaluating the possiblity to replace lxml by defusedxml, and the viability of this project is the last question that keep me from evaluating its usage in my current feature branch :-)
from defusedxml.
nicostubi
commented on August 24, 2024
I'm trying to find a solution to CWE-20 raised by Bandit: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b410-import-lxml
Well, I think we are back to this question raised by @djbrown: PyCQA/bandit#767
as defusedxml.lxml is deprecated
from defusedxml.
nicostubi
commented on August 24, 2024
after having read this article: https://realpython.com/python-xml-parser/#defuse-the-xml-bomb-with-secure-parsers
I understand a bit more your statement
defusedxml is not a replacement for lxml. It's a wrapper on top of Python's stdlib xml modules to solve DoS vulnerabilities when parsing of XML from untrusted sources
I could use:
>>> import defusedxml.ElementTree as ET
>>> ET.parse("bomb.xml")
and keep on using lxml, or standard libraries if possible.
from defusedxml.
vicent4no
commented on August 24, 2024
For this specific case what I've done is to add a #nosec inline comment for lxml since defusedxml actually removes the possible attack vector.
I manually do the parsing using defusedxml afterwards
from defusedxml.
nicostubi
commented on August 24, 2024
that's exactly what I've done: I keep my feature implemented with lxml and I ensure the xml can be defused. The only difference is I do use defuse before parsing the xml with lxml and I catch any exception to log, and raise it.
from defusedxml.
Related Issues (20)
- LXML Support and XML Validator HOT 1
- [Feature request] Automatically detect imports of vulnerable xml parsers in projects HOT 1
- equivalent of lxml.objectify cleanup_namespaces in defusedxml HOT 1
- defusedxml 0.7.1 & Python 3.9 -- TypeError: __init__() takes 1 positional argument but 4 were given HOT 1
- Please add compatibility with xmlschema HOT 3
- ElementTree.fromstring() does not accept parser as an argument HOT 2
- defusedxml has no method of registering namespaces. HOT 3
- Missing Element class xml.etree.ElementTree.Element HOT 1
- Want to know the estimated time of the next version update HOT 1
- defusedxml reads bytes, not str HOT 3
- Cannot use `xpath` and any other functionality from `lxml` HOT 2
- Missing indent function HOT 1
- Calling defuse_stdlib() raises a DeprecationWarning error with python -W
- [Question] When can we expect to support Python 3.10? HOT 3
- [Question] Correct way to parse HTML with defusedxml? HOT 1
- remove_blank_text and other options of XMLParser missing HOT 3
- Missing XMLParser options WITHOUT deprecated solution HOT 1
- type stubs for mypy HOT 2
- defusedxml does not work with `rich` library to print exceptions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from defusedxml.