lxml

Outdated suggestion in your FAQs

Bug #1862464 reported by Bernd Schlapsi on 2020-02-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	lxml	Triaged	Low	Unassigned

Bug Description

In your FAQ question "How do I use lxml safely as a web-service endpoint?" you suggest to use the wrapper API from defusedxml for a safe lxml usage:
https://git.launchpad.net/lxml/tree/doc/FAQ.txt#n1146

But this wrapper API is deprecated and raises a DeprecationWarning
```
DeprecationWarning: defusedxml.lxml is no longer supported and will be removed in a future release.
from defusedxml.lxml import fromstring
```

See also:
https://github.com/tiran/defusedxml/issues/25
https://github.com/tiran/defusedxml/issues/31

So some documentation how to replace the `defusedxml.lxml.fromstring` function would be highly appreciated. Especially the parameters `forbid_dtd` and `forbid_entities` which are not available in lxml.

Revision history for this message

scoder (scoder) wrote on 2020-02-09:

Yes, defusedxml is no longer maintained, but it took me about one minute to look up the current implementation there:

https://github.com/tiran/defusedxml/blob/master/defusedxml/lxml.py#L112-L131

Doesn't look very sophisticated. Documentation PR welcome.

Changed in lxml:
importance:	Undecided → Low
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.