{"id":390,"library":"defusedxml","title":"DefusedXML","description":"DefusedXML provides XML bomb protection for Python standard library modules, currently at version 0.7.1. The library aims to prevent denial of service attacks by handling malicious XML documents safely.","status":"active","version":"0.7.1","language":"python","source_language":"en","source_url":"https://github.com/tiran/defusedxml","tags":["xml","security","parsing","defense"],"install":[{"cmd":"pip install defusedxml","lang":"bash","label":"Install DefusedXML"}],"dependencies":[],"imports":[{"note":"Ensure you are using the defusedxml wrapper for safety.","symbol":"ElementTree","correct":"from defusedxml.ElementTree import ElementTree"}],"quickstart":{"code":"from defusedxml.ElementTree import fromstring\n\nxml_data = '<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>'\ntry:\n    root = fromstring(xml_data)\n    print(root)\nexcept Exception as e:\n    print(str(e))","lang":"python","description":"Quickly parse XML data using defusedxml to prevent XXE attacks."},"warnings":[{"fix":"Upgrade to Python 3 for future compatibility.","message":"Support for Python 2 will be removed in version 0.8.0.","severity":"breaking","affected_versions":"< 0.8.0"},{"fix":"Use defusedxml.ElementTree instead to mitigate `EntitiesForbidden` errors and XXE vulnerabilities.","message":"The defusedxml.cElementTree module is deprecated and may lead to `EntitiesForbidden` errors or XXE vulnerabilities when parsing untrusted XML. Use `defusedxml.ElementTree` for safer XML parsing.","severity":"breaking","affected_versions":">= 0.7.0"},{"fix":"Ensure XML inputs are sanitized to remove untrusted external entity declarations, or explicitly configure defusedxml to allow specific external entities if intended (use with caution for untrusted inputs).","message":"Parsing of XML with external entities (XXE) attempting to access local files (e.g., file:///etc/passwd) is blocked by defusedxml, resulting in an EntitiesForbidden error.","severity":"breaking","affected_versions":">= 0.1.0"}],"env_vars":null,"last_verified":"2026-05-12T13:28:49.041Z","next_check":"2026-06-27T00:00:00.000Z","problems":[{"fix":"Install the package using pip: `pip install defusedxml`","cause":"The `defusedxml` package is not installed in the Python environment being used, or the environment is not correctly activated.","error":"ModuleNotFoundError: No module named 'defusedxml'"},{"fix":"Remove the import of `defusedxml.lxml` and use `lxml` directly, ensuring you configure `lxml`'s parsers with appropriate security settings (e.g., `resolve_entities=False`) if parsing untrusted XML. The `defusedxml` library still provides wrappers for standard library XML modules.","cause":"Developers are importing and using the `defusedxml.lxml` module, which has been deprecated because `lxml` itself has addressed many of its security vulnerabilities, making `defusedxml`'s wrapper redundant.","error":"DeprecationWarning: defusedxml.lxml is no longer supported and will be removed in a future release."},{"fix":"If you trust the XML source and need to allow external entities or DTDs, you can modify the parser's settings (e.g., `forbid_entities=False`, `forbid_dtd=False`, `forbid_external=False`) when creating or calling the defusedxml parser function. For example, `defusedxml.sax.parse(source, handler, forbid_external=False)` or configuring the parser object directly.","cause":"This error occurs when `defusedxml` encounters XML entities (like `<!DOCTYPE>` declarations or external entity references) that it is configured to disallow for security reasons, preventing XML External Entity (XXE) attacks and other exploits.","error":"defusedxml.common.EntitiesForbidden"},{"fix":"Update `defusedxml` to the latest version. The compatibility issues with Python 3.6+ were addressed in later `defusedxml` releases. Ensure your Python version is officially supported by the `defusedxml` version you are using. If an update isn't feasible, consider upgrading your Python environment or refactoring to use a different `defusedxml` submodule if `ElementTree` is the problematic one.","cause":"`defusedxml.ElementTree` had compatibility issues with changes introduced in Python 3.6's `xml.etree.ElementTree` module, specifically around how internal C implementations and pure-Python fallbacks were handled, leading to failures during import or parsing.","error":"TypeError: object of type 'NoneType' has no len() or similar errors when using defusedxml.ElementTree with Python 3.6+"}],"ecosystem":"pypi","meta_description":null,"install_score":0,"install_tag":"stale","quickstart_score":80,"quickstart_tag":"verified","pypi_latest":null,"install_checks":{"last_tested":"2026-05-12","tag":"stale","tag_description":"widespread failures or data too old to trust","results":[{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null}]},"quickstart_checks":{"last_tested":"2026-04-23","tag":"verified","tag_description":"quickstart runs on critical runtimes, recently tested","results":[{"runtime":"python:3.10-alpine","exit_code":0},{"runtime":"python:3.10-slim","exit_code":0},{"runtime":"python:3.11-alpine","exit_code":0},{"runtime":"python:3.11-slim","exit_code":0},{"runtime":"python:3.12-alpine","exit_code":0},{"runtime":"python:3.12-slim","exit_code":0},{"runtime":"python:3.13-alpine","exit_code":0},{"runtime":"python:3.13-slim","exit_code":0},{"runtime":"python:3.9-alpine","exit_code":0},{"runtime":"python:3.9-slim","exit_code":0}]}}