Defusedxml – defusing XML bombs and other exploits

Back in one day… I saw my first xml&#x2F;html exploit by another script kiddie on AOL. I was like wtf and began trying to crash my own account. A simple quote mismatch with a bunch of ampersands eventually did it (something 1000 nested ampersand escape sequences). Anyways was pretty proud of what I built, so I found a guy smarting off in an AOL chat and decided to bomb him. And yeah, he was a moderator for AOL… so at 12 years old I got our family amount blocked and my dad had a uncomfortable call with the AOL reps and how his son was hacking.<p>Ah those were the days

Fascinating reading:<p>&gt; The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. At best they know about &lt;!DOCTYPE&gt; from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system.<p>I was one of them!

This is largely historic. I had lengthy discussions about this with expat&#x27;s maintainer.<p>expat, the xml library underlying python&#x27;s etree and other xml interfaces, has either mitigated these standard xml vulnerabilities or disables the dangerous features by default.<p>The python docs are still a bit confusing there, but if you look at this table: <a href="https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;xml.html#xml-vulnerabilities" rel="nofollow">https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;xml.html#xml-vulnerabiliti...</a><p>While this table has a lot of &quot;Vulnerable&quot; in it, they all come with footnotes saying that up-to-date versions of expat are not vulnerable.<p>So... if you want to have more secure xml parsing in python, make sure you use an up-to-date expat library or one where security fixes have been backported. You don&#x27;t need anything else.

DefusedXML is an amazing piece of code.<p>This being said, many of the mitigations it enables are now also available by default in many “standard” libraries. For example, bandit will often tell you to not use lxml in Python, but instead use defusedxml. However, modern versions don’t suffer the same issues at all, and this is a case where automatically following the advice of the linter&#x2F;SCA is not a great idea.

&gt; XML Bomb<p>This reminds me of <i>Zip Bomb</i> [1], aka, <i>Zip of Death</i> (ZOD) [2]<p>1. <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Zip_bomb" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Zip_bomb</a><p>2. <a href="https:&#x2F;&#x2F;github.com&#x2F;iamtraction&#x2F;ZOD">https:&#x2F;&#x2F;github.com&#x2F;iamtraction&#x2F;ZOD</a>

I’ve always appreciated their drop-in replacement support. It’s so nice to just change an import and move on. I’ve used it on multiple legacy projects with great success- never a single compatibility issue. Great project!

Does `lxml` match `etree` in the table?