The `defusedxml package`_ contains several Python-only workarounds and fixes
for denial of service and other vulnerabilities in Python's XML libraries.
-All functions and parser classes accept t
wo additional keyword arguments.
+All functions and parser classes accept t additional keyword arguments.
forbid_dtd (default: False)
disallow XML with a ``<!DOCTYPE>`` processing instruction and raise a
+ DTDForbidden exception
forbid_entities (default: True)
- disallow XML with ``<!ENTITY>`` declarations inside the DTD and raise a
- EntitiesForbidden exception
+ disallow XML with ``<!ENTITY>`` declarations inside the DTD and raise an
+ EntitiesForbidden exception when an entity is declared.
-All parsers also enforce a hard ban of external entities and retrieval of
-external DTDs by raising an ExternalReferenceForbidden exception.
+forbid_external (default: True)
+ disallow any access to remote or local resources in external entities
+ or DTD and raising an ExternalReferenceForbidden exception when a DTD
+ or entity references an external resource.
parse(), parseString(), DefusedExpatBuilder, DefusedExpatBuilderNS