Merge pull request PowerGridModel#387 from PowerGridModel/fix-defusedxml-deps

figueroa1395 · web-flow · commit b5b8cd824b80 · 2026-03-05T08:02:54.000Z
Revert to default XML parser
diff --git a/docs/converters/tabular_converter.md b/docs/converters/tabular_converter.md
@@ -381,9 +381,12 @@ Mapping files enable the specification of custom mappings or filter functions.
 These functions can come from the `power-grid-model-io` library, be user-provided, or even supplied by third parties.
 To ensure security, we have implemented several measures.
 Best practices are recommended to prevent malicious code execution.
-XML parsing is performed using the defusedxml library instead of the standard library xml module.
-This ensures that unsafe XML features are disabled by default when processing mapping files or related inputs.
-[Python XML security](https://docs.python.org/3/library/xml.html#xml-security)
+XML parsing is performed using the standard library's `xml` module. For `python < 3.11`, `xml` was built
+with `expat = 2.6.0` which was vulnerable; however, `python >= 3.11` includes `expat = 2.7.1` which no
+longer is.
+This ensures that unsafe XML features are disabled by default when processing mapping files or related
+inputs. See the this [issue](https://github.com/python/cpython/issues/127502) and the
+[Python XML security](https://docs.python.org/3/library/xml.html#xml-security) documentation.
 
 ### Safe Loading of Configuration Files
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -167,7 +167,7 @@ select = [
     # pytest-style
     "PT",
 ]
-ignore = []
+ignore = ["S314"]  # S314: xml parsing is no longer considered unsafe python >= 3.11 (https://github.com/python/cpython/pull/135294)
 
 [tool.ruff.lint.isort]
 # Imports that are imported using keyword "as" and are from the same source - are combined.
diff --git a/src/power_grid_model_io/utils/excel_ambiguity_checker.py b/src/power_grid_model_io/utils/excel_ambiguity_checker.py
@@ -20,12 +20,11 @@
     - zipfile to handle the Excel file as a ZIP archive for parsing.
 """
 
+import xml.etree.ElementTree as ET
 import zipfile
 from collections import Counter
 from pathlib import Path
 
-from defusedxml import ElementTree as ET
-
 XML_NAME_SPACE = {"": "http://schemas.openxmlformats.org/spreadsheetml/2006/main"}  # NOSONAR
 WORK_BOOK = "xl/workbook.xml"
 SHARED_STR_PATH = "xl/sharedStrings.xml"

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ select = [`
`167`	`167`	`# pytest-style`
`168`	`168`	`"PT",`
`169`	`169`	`]`
`170`		`-ignore = []`
	`170`	`+ignore = ["S314"] # S314: xml parsing is no longer considered unsafe python >= 3.11 (https://github.com/python/cpython/pull/135294)`
`171`	`171`
`172`	`172`	`[tool.ruff.lint.isort]`
`173`	`173`	`# Imports that are imported using keyword "as" and are from the same source - are combined.`