Add warning about lack of validation for xml.sax.saxutils.XMLGenerator

sethmlarson · sethmlarson · commit d1e4e123cc88 · 2025-10-01T10:07:29.000-05:00
diff --git a/Doc/library/xml.sax.utils.rst b/Doc/library/xml.sax.utils.rst
@@ -61,6 +61,13 @@ or as base classes.
 
 .. class:: XMLGenerator(out=None, encoding='iso-8859-1', short_empty_elements=False)
 
+   .. warning::
+      :class:`~xml.sax.handler.XMLGenerator` does not validate element or
+      attribute names. Callers must ensure that names passed to APIs conform
+      to `XML name rules <https://www.w3.org/TR/xml/#NT-Name>`__ if passing
+      untrusted input. Character data and attribute values are escaped,
+      but not validated.
+
    This class implements the :class:`~xml.sax.handler.ContentHandler` interface
    by writing SAX
    events back into an XML document. In other words, using an :class:`XMLGenerator`
diff --git a/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst b/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst
@@ -0,0 +1 @@
+Add warning about lack of validation for ``xml.sax.saxutils.XMLGenerator``.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Add warning about lack of validation for ``xml.sax.saxutils.XMLGenerator``.