Comment 2 for bug 1742885

This is actually documented:
http://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint

And the defusedxml package has additional information about security in lxml (and other XML packages):
https://bitbucket.org/tiran/defusedxml

I agree that it's something that's worth changing, even though it's a backwards incompatible change.

Pull request welcome. See the "_local_resolver()" function in "parser.pxi". A reasonable logic might be to disallow access to local files by default if the input file itself is not known to be local, but add an XMLParser option to override it. Not sure about the HTMLParser, but that probably suffers from the same issue.