Merge pull request #310 from mar10/pr/308

remove defusedxml.lxml

Author: mar10

CHANGELOG.md

@@ -6,6 +6,7 @@
   responses (default: false).
 - #298: `--root` argument honors `fs_dav_provider` configuration.
 - #301: `_DAVResource` should have `is_link()` method to avoid dir_browser issues.
+- [#308](https://github.com/mar10/wsgidav/issues/308) remove defusedxml dependency
 
 ## 4.3.0 / 2023-09-24
 

Pipfile

@@ -35,7 +35,7 @@ safety = "*"
 yabs = "*"
 
 [packages]
-defusedxml = "*"  # "~=0.5"
+defusedxml = "*"  # "~=0.7"
 Jinja2 = "*"  # "~=2.10"
 PyYAML = "*"  # "~=5.1"
 json5 = "*"

docs/source/requirements.txt

@@ -1,5 +1,5 @@
 # Requirements used by Sphinx / RTD
-defusedxml~=0.5
+defusedxml~=0.7.1
 Jinja2~=3.0
 json5~=0.8.5
 python-pam~=2.0.2

requirements.txt

@@ -1,4 +1,4 @@
-defusedxml~=0.5
+defusedxml~=0.7.1
 Jinja2~=3.0
 json5~=0.8.5
 python-pam~=2.0

wsgidav/xml_tools.py

@@ -17,16 +17,11 @@
 # Import XML support
 use_lxml = False
 try:
-    # This import helps setup.py to include lxml completely:
-    # lxml with safe defaults
-    from defusedxml.lxml import _etree as etree
-    from lxml import _elementpath as _dummy_elementpath  # noqa
+    from lxml import etree
 
     use_lxml = True
     _ElementType = etree._Element
 except ImportError:
-    # warnings.warn("Could not import lxml")  # , ImportWarning)
-    # Try xml module (Python 2.5 or later) with safe defaults
     # defusedxml doesn't define these non-parsing related objects
     from xml.etree.ElementTree import Element, SubElement, tostring
 
@@ -49,7 +44,7 @@ def is_etree_element(obj):
 def string_to_xml(text):
     """Convert XML string into etree.Element."""
     try:
-        return etree.XML(text)
+        return etree.XML(text, forbid_entities=True)
     except Exception:
         # TODO:
         # ExpatError: reference to invalid character number: line 1, column 62