On Thursday, May 17, 2018, Serhiy Storchaka <storchaka at gmail.com> wrote: > [...] > > I'm trying to figure out some intentions and fix possible bugs in the xml > package. defusedxml https://pypi.org/project/defusedxml/ > XML bomb protection for Python stdlib modules https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities """ Best practices - Don’t allow DTDs - Don’t expand entities - Don’t resolve externals - Limit parse depth - Limit total input size - Limit parse time - Favor a SAX or iterparse-like parser for potential large data - Validate and properly quote arguments to XSL transformations and XPath queries - Don’t use XPath expression from untrusted sources - Don’t apply XSL transformations that come untrusted sources """ https://github.com/tiran/defusedxml > The history of all commits could help. > > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes. > turner%40gmail.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20180528/236aff24/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4