{"id":2825,"library":"types-defusedxml","title":"Typing stubs for defusedxml","description":"types-defusedxml provides type hints for the defusedxml library, which offers protection against XML-related security vulnerabilities like XML bombs (Billion Laughs, Quadratic Blowup) and external entity attacks in Python's standard library XML modules. It is part of the typeshed project and allows type checkers to analyze code using defusedxml for correctness. This package ensures compatibility with defusedxml==0.7.* and is regularly updated.","status":"active","version":"0.7.0.20260408","language":"en","source_language":"en","source_url":"https://github.com/python/typeshed","tags":["typing","stubs","xml","security","typeshed","defusedxml"],"install":[{"cmd":"pip install types-defusedxml","lang":"bash","label":"Install types-defusedxml"},{"cmd":"pip install defusedxml","lang":"bash","label":"Install runtime dependency (required for execution)"}],"dependencies":[{"reason":"Provides the runtime implementation that these stubs type-check.","package":"defusedxml","optional":false}],"imports":[{"symbol":"ElementTree","correct":"import defusedxml.ElementTree as ET"},{"symbol":"fromstring","correct":"from defusedxml.ElementTree import fromstring"},{"symbol":"parse","correct":"from defusedxml.ElementTree import parse"},{"symbol":"minidom","correct":"import defusedxml.minidom as minidom"},{"symbol":"sax","correct":"import defusedxml.sax as sax"},{"note":"`defusedxml.lxml` is deprecated and should generally be avoided; use lxml's native secure parsing instead.","wrong":"from defusedxml.lxml import parse","symbol":"lxml","correct":"import defusedxml.lxml"}],"quickstart":{"code":"import defusedxml.ElementTree as ET\nfrom typing import Dict, Any\n\nxml_data_safe = \"<root><item>safe_data</item></root>\"\nxml_data_malicious = \"\"\"\n<!DOCTYPE foo [\n<!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM \\\"file:///non_existent_path\\\" >\n]>\n<foo>&xxe;</foo>\n\"\"\"\n\ndef parse_xml_safely(xml_string: str) -> Dict[str, Any]:\n    try:\n        # types-defusedxml provides type hints for ET.fromstring\n        root = ET.fromstring(xml_string)\n        result = {child.tag: child.text for child in root}\n        print(f\"Successfully parsed: {result}\")\n        return result\n    except ET.EntitiesForbidden as e:\n        print(f\"Caught an XML entity expansion attempt: {e}\")\n        return {\"error\": \"Entities Forbidden\"}\n    except ET.ParseError as e:\n        print(f\"Caught a general XML parsing error: {e}\")\n        return {\"error\": \"Parse Error\"}\n\n# Example usage with safe data\nparse_xml_safely(xml_data_safe)\n\n# Example usage with malicious data (XXE attempt) \n# This should be blocked by defusedxml, with stubs informing type checkers \n# about the EntitiesForbidden exception.\nparse_xml_safely(xml_data_malicious)\n","lang":"python","description":"Demonstrates how to use `defusedxml.ElementTree.fromstring` to parse XML data securely, including handling potential XML entity expansion attacks. The `types-defusedxml` package provides the necessary type hints for `defusedxml` components, allowing static analysis tools to verify type correctness and anticipate exceptions like `EntitiesForbidden`."},"warnings":[{"fix":"Ensure both `types-defusedxml` and `defusedxml` are installed: `pip install types-defusedxml defusedxml`.","message":"Stub-only package: `types-defusedxml` is solely for static type checking and contains no runtime code. To utilize `defusedxml` functionality, the `defusedxml` package must also be installed in your environment (`pip install defusedxml`).","severity":"gotcha","affected_versions":"All versions of types-defusedxml"},{"fix":"It is recommended to pin the stub package version (e.g., `types-defusedxml==0.7.0.YYYYMMDD`) or align its version bounds with your `defusedxml` installation to ensure compatibility: `pip install 'types-defusedxml~=X.Y'` where `X.Y` matches your `defusedxml` version.","message":"Version Mismatches: Type stubs in typeshed are updated frequently. While `types-defusedxml` aims to provide accurate annotations for `defusedxml==0.7.*`, mismatches between the stub version and the runtime `defusedxml` version can lead to incorrect type-checking results, especially if `defusedxml`'s API changes.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Users of `defusedxml.lxml` should migrate to using `lxml`'s native secure parsing options, such as `lxml.etree.XMLParser(resolve_entities=False)` for explicit control over entity resolution.","message":"The `defusedxml.lxml` module is deprecated within `defusedxml` and is slated for removal in future releases. `lxml` itself has built-in mitigations for many XML attacks (e.g., billion laughs, quadratic blowup).","severity":"deprecated","affected_versions":"defusedxml >=0.6.0 (deprecated in typeshed stubs reflects the runtime library)"},{"fix":"Review type checker errors after updating and adjust your code or explicitly pin the `types-defusedxml` version to a known compatible one. Consider using tools like Dependabot or Renovate for managing stub version updates.","message":"Changes from Typeshed: Although typeshed strives to minimize breaking changes, any update to stub packages can potentially introduce changes that might cause your code to fail type-checking. This can occur if the underlying library's API has changed or if the stubs become more restrictive in their type definitions.","severity":"breaking","affected_versions":"All versions, due to continuous updates of the typeshed project."}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}