XXE safe XML parsing with external entity resolution disabled

12543 views

                  from defusedxml.ElementTree import fromstring

payload = request.data.decode('utf-8')
root = fromstring(payload)
invoice_number = root.findtext('invoice_number')

XML is still a problem when parsers are left in permissive mode. I disable external entities, refuse network fetches, and prefer simpler formats unless XML is required by an external integration. Attackers love parser defaults that nobody revisited after the project started.

Kai Nakamura

More from Kai Nakamura

XXE safe XML parsing with external entity resolution disabled

0 Comments

More from Kai Nakamura