DefusedXML

raw JSON →
0.7.1 verified Tue May 12 auth: no python install: stale quickstart: verified

DefusedXML provides XML bomb protection for Python standard library modules, currently at version 0.7.1. The library aims to prevent denial of service attacks by handling malicious XML documents safely.

pip install defusedxml

Common errors

error ModuleNotFoundError: No module named 'defusedxml'
cause The `defusedxml` package is not installed in the Python environment being used, or the environment is not correctly activated.
fix
Install the package using pip: pip install defusedxml
error DeprecationWarning: defusedxml.lxml is no longer supported and will be removed in a future release.
cause Developers are importing and using the `defusedxml.lxml` module, which has been deprecated because `lxml` itself has addressed many of its security vulnerabilities, making `defusedxml`'s wrapper redundant.
fix
Remove the import of defusedxml.lxml and use lxml directly, ensuring you configure lxml's parsers with appropriate security settings (e.g., resolve_entities=False) if parsing untrusted XML. The defusedxml library still provides wrappers for standard library XML modules.
error defusedxml.common.EntitiesForbidden
cause This error occurs when `defusedxml` encounters XML entities (like `<!DOCTYPE>` declarations or external entity references) that it is configured to disallow for security reasons, preventing XML External Entity (XXE) attacks and other exploits.
fix
If you trust the XML source and need to allow external entities or DTDs, you can modify the parser's settings (e.g., forbid_entities=False, forbid_dtd=False, forbid_external=False) when creating or calling the defusedxml parser function. For example, defusedxml.sax.parse(source, handler, forbid_external=False) or configuring the parser object directly.
error TypeError: object of type 'NoneType' has no len() or similar errors when using defusedxml.ElementTree with Python 3.6+
cause `defusedxml.ElementTree` had compatibility issues with changes introduced in Python 3.6's `xml.etree.ElementTree` module, specifically around how internal C implementations and pure-Python fallbacks were handled, leading to failures during import or parsing.
fix
Update defusedxml to the latest version. The compatibility issues with Python 3.6+ were addressed in later defusedxml releases. Ensure your Python version is officially supported by the defusedxml version you are using. If an update isn't feasible, consider upgrading your Python environment or refactoring to use a different defusedxml submodule if ElementTree is the problematic one.

Warnings

breaking Support for Python 2 will be removed in version 0.8.0.
fix Upgrade to Python 3 for future compatibility.
breaking The defusedxml.cElementTree module is deprecated and may lead to `EntitiesForbidden` errors or XXE vulnerabilities when parsing untrusted XML. Use `defusedxml.ElementTree` for safer XML parsing.
fix Use defusedxml.ElementTree instead to mitigate `EntitiesForbidden` errors and XXE vulnerabilities.
breaking Parsing of XML with external entities (XXE) attempting to access local files (e.g., file:///etc/passwd) is blocked by defusedxml, resulting in an EntitiesForbidden error.
fix Ensure XML inputs are sanitized to remove untrusted external entity declarations, or explicitly configure defusedxml to allow specific external entities if intended (use with caution for untrusted inputs).

Install compatibility stale last tested: 2026-05-12

python os / libc status wheel install import disk
3.10 alpine (musl) - - - -
3.10 slim (glibc) - - - -
3.11 alpine (musl) - - - -
3.11 slim (glibc) - - - -
3.12 alpine (musl) - - - -
3.12 slim (glibc) - - - -
3.13 alpine (musl) - - - -
3.13 slim (glibc) - - - -
3.9 alpine (musl) - - - -
3.9 slim (glibc) - - - -

Imports

Quickstart verified last tested: 2026-04-23

Quickly parse XML data using defusedxml to prevent XXE attacks.

from defusedxml.ElementTree import fromstring

xml_data = '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'
try:
    root = fromstring(xml_data)
    print(root)
except Exception as e:
    print(str(e))
last verified Tue May 12
next check Sat Jun 27