diff --git a/CHANGELOG.md b/CHANGELOG.md index a05a5cb..2ac44b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ responses (default: false). - #298: `--root` argument honors `fs_dav_provider` configuration. - #301: `_DAVResource` should have `is_link()` method to avoid dir_browser issues. +- [#308](https://github.com/mar10/wsgidav/issues/308) remove defusedxml dependency ## 4.3.0 / 2023-09-24 diff --git a/Pipfile b/Pipfile index 9bf694b..d616a53 100644 --- a/Pipfile +++ b/Pipfile @@ -35,7 +35,7 @@ safety = "*" yabs = "*" [packages] -defusedxml = "*" # "~=0.5" +defusedxml = "*" # "~=0.7" Jinja2 = "*" # "~=2.10" PyYAML = "*" # "~=5.1" json5 = "*" diff --git a/docs/source/requirements.txt b/docs/source/requirements.txt index 34be6fb..347774d 100644 --- a/docs/source/requirements.txt +++ b/docs/source/requirements.txt @@ -1,5 +1,5 @@ # Requirements used by Sphinx / RTD -defusedxml~=0.5 +defusedxml~=0.7.1 Jinja2~=3.0 json5~=0.8.5 python-pam~=2.0.2 diff --git a/requirements.txt b/requirements.txt index c9eb45b..b285c66 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -defusedxml~=0.5 +defusedxml~=0.7.1 Jinja2~=3.0 json5~=0.8.5 python-pam~=2.0 diff --git a/wsgidav/xml_tools.py b/wsgidav/xml_tools.py index 982aa11..66bcdf6 100644 --- a/wsgidav/xml_tools.py +++ b/wsgidav/xml_tools.py @@ -17,16 +17,11 @@ # Import XML support use_lxml = False try: - # This import helps setup.py to include lxml completely: - # lxml with safe defaults - from defusedxml.lxml import _etree as etree - from lxml import _elementpath as _dummy_elementpath # noqa + from lxml import etree use_lxml = True _ElementType = etree._Element except ImportError: - # warnings.warn("Could not import lxml") # , ImportWarning) - # Try xml module (Python 2.5 or later) with safe defaults # defusedxml doesn't define these non-parsing related objects from xml.etree.ElementTree import Element, SubElement, tostring @@ -49,7 +44,7 @@ def is_etree_element(obj): def string_to_xml(text): """Convert XML string into etree.Element.""" try: - return etree.XML(text) + return etree.XML(text, forbid_entities=True) except Exception: # TODO: # ExpatError: reference to invalid character number: line 1, column 62