XML parsers

[effigies]

#354 added XML generation with the builtin xml library, which shouldn't be a security issue, but parsing is a potential problem as malformed XML can cause pathological behavior in the parser.

There are "defused" packages to prevent these issues (e.g. https://pypi.python.org/pypi/defusedxml/), but this would mean adding a dependency, which needs discussion.

[matthew-brett]

Chris - sorry to be slow to respond to this.

A pure Python dependency is OK, I think, especially if it is optional. I was a bit worried to see that the last release of defusedxml was 2013, and the last commit was November 2015 : https://bitbucket.org/tiran/defusedxml . Do you know of any alternatives?

[effigies]

Not really. I came across these packages via the official docs.

[effigies]

Just an update: defusedxml has made a 0.5.0 release to support Python 3.6 about a year ago. Perhaps the low churn is due to stability?

[matthew-brett]

Source moved to github : https://github.com/tiran/defusedxml . Last commit 2017-02-10.

Release 0.5.0 with Python 3.6 compatibility on 2017-02-07, about a month after Python 3.6 release on 2016-12-23.

I guess we can contact them and ask what their support plans are?

[effigies]

According to tiran/defusedxml#27 (comment):

the project is pretty much abandoned. The next versions of CPython 2.7, 3.6, and 3.7 as well as expat 2.3.0 will contain all necessary fixes.

Going to go ahead and close this.