python
5 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
from defusedxml.ElementTree import fromstring
payload = request.data.decode('utf-8')
root = fromstring(payload)
invoice_number = root.findtext('invoice_number')
1 file · python
Explain with highlit
XML is still a problem when parsers are left in permissive mode. I disable external entities, refuse network fetches, and prefer simpler formats unless XML is required by an external integration. Attackers love parser defaults that nobody revisited after the project started.
Share this code
Here's the card — post it anywhere.