Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate XML Vulnerabilities #669

Open
John-P opened this issue Oct 9, 2024 · 1 comment
Open

Mitigate XML Vulnerabilities #669

John-P opened this issue Oct 9, 2024 · 1 comment

Comments

@John-P
Copy link

John-P commented Oct 9, 2024
edited
Loading

I noticed that lxml is being used to parse the XML box. A maliciously crafted XML box could be vulnerable to typical XML attacks such as quadratic blowup or entity expansion (see https://pypi.org/project/defusedxml/#python-xml-libraries). Would it be prudent to go through the example guidance in defusedxml to verify that the setup is safe?

I would be happy to give this a go and open a PR if that would be helpful.
@quintusdias
Copy link
Owner

Possibly... But in looking this over, I see something in XMLBox that I really wish I'd done differently, so I'm going to address that first (non-breaking change), then I'll get back to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quintusdias @John-P