Skip to content

Commit

Permalink
doc: lxml is safe
Browse files Browse the repository at this point in the history
Explain that lxml is safe against XML bombs and external entity
expansion with network URIs.

Closes: #38
Signed-off-by: Christian Heimes <christian@python.org>
  • Loading branch information
tiran committed Sep 29, 2023
1 parent 6ce5b9e commit a252917
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 7 deletions.
13 changes: 10 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -361,11 +361,18 @@ class="title-ref">-1</span> disables the limit.
**DEPRECATED** The module is deprecated and will be removed in a future
release.

lxml is safe against most attack scenarios. [lxml
lxml is safe against most attack scenarios. lxml uses `libxml2` for
parsing XML. The library has builtin mitigations against billion laughs
and quadratic blowup attacks. The parser allows a limit amount of entity
expansions, then fails. lxml also disables network access by default.
libxml2 [lxml
FAQ](https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint)
lists additional recommendations for safe parsing, for example counter
measures against compression bombs. The default parser resolves
entities. To disable entities, you can use a custom parser object:
measures against compression bombs.

The default parser resolves entities and protects against huge trees and
deeply nested entities. To disable entities expansion, use a custom
parser object:

from lxml import etree

Expand Down
14 changes: 10 additions & 4 deletions README.txt
Original file line number Diff line number Diff line change
Expand Up @@ -403,10 +403,16 @@ defusedxml.lxml
**DEPRECATED** The module is deprecated and will be removed in a future
release.

lxml is safe against most attack scenarios. `lxml FAQ`_ lists additional
recommendations for safe parsing, for example counter measures against
compression bombs. The default parser resolves entities. To disable
entities, you can use a custom parser object::
lxml is safe against most attack scenarios. lxml uses ``libxml2`` for
parsing XML. The library has builtin mitigations against billion laughs and
quadratic blowup attacks. The parser allows a limit amount of entity
expansions, then fails. lxml also disables network access by default.
libxml2 `lxml FAQ`_ lists additional recommendations for safe parsing,
for example counter measures against compression bombs.

The default parser resolves entities and protects against huge trees and
deeply nested entities. To disable entities expansion, use a custom parser
object::

from lxml import etree

Expand Down

0 comments on commit a252917

Please sign in to comment.