python 5 lines · 1 tab

XXE safe XML parsing with external entity resolution disabled

Kai Nakamura Apr 2026
1 tab
from defusedxml.ElementTree import fromstring

payload = request.data.decode('utf-8')
root = fromstring(payload)
invoice_number = root.findtext('invoice_number')
1 file · python Explain with highlit

XML is still a problem when parsers are left in permissive mode. I disable external entities, refuse network fetches, and prefer simpler formats unless XML is required by an external integration. Attackers love parser defaults that nobody revisited after the project started.

Share this code

Here's the card — post it anywhere.

XXE safe XML parsing with external entity resolution disabled — share card
Link copied