gh-139313: Improve docs on XML security

[hartwork]

• Issue: Update the XML security documentation #139313

---

📚 Documentation preview 📚: https://cpython-previews--139460.org.readthedocs.build/

[hartwork]

@vstinner I saw your related work in commit cb99d99. Would you be up for review here?

[hartwork]

@picnixz I was hoping for this PR to be a quick and uncontroversial win for everyone. Would you be up to get this over the finish line with me? Else could you connect me to someone up for it? I believe @hedsnz uncovered some actual issues in #139313 that are worth addressing.

The keys ideas in this pull request are:

• warn about ExternalEntityRefHandler right where users will be looking
• try to make clear that XML issues are not a problem of Python in particular
• that the defaults are pretty good by now
• that >=2.6.0 is no longer recent enough but >=2.7.2
• that use of system Expat depends on configuration while resisting to copy details but refer to another page
• link to upstream Expat for users unknown to Expat

What do you think?

[hedsnz]

Thanks very much @hartwork, this PR addresses everything in the issue I originally raised, and I think it strikes a good balance between giving enough background so that people know where to start looking for further information, while not giving so much information that is better documented elsewhere.

I've offered a couple of very minor wording suggestions.

[hartwork]

Thanks very much @hartwork, this PR addresses everything in the issue I originally raised, and I think it strikes a good balance between giving enough background so that people know where to start looking for further information, while not giving so much information that is better documented elsewhere.

@hedsnz cool, thanks for your support!

I've offered a couple of very minor wording suggestions.

Thanks for the review!

[hartwork]

@vstinner could this be merged please please?

[StanFromIreland]

Note that the general guideline around here is to wait a month before pinging, there is a long queue of PRs (>2000!).

[hartwork]

@StanFromIreland I understand that the project has many other pull request but I'll be honest with you, I only jumped in to help with this PR here (that was not my own pain point) because I felt like it could be a quick win, and this pull request is way too trivial and tiny to have a life of 3 weeks in my book. It only means that I will twice to be the guy providing doc fixes like this next time. I'm not sure that's intended. I'm happy to team up with you personally on other pull request review in CPython as feasible if that helps you move faster on the queue. Thanks for considering my side.

[vstinner]

@vstinner could this be merged please please?

I don't know XML very well. Maybe @encukou or @serhiy-storchaka would like to review it.

[hartwork]

I don't know XML very well. Maybe @encukou or @serhiy-storchaka would like to review it.

@vstinner thanks!

(I was asking you because of your commit cb99d99 on Doc/library/xml.rst.)

[serhiy-storchaka]

LGTM. 👍

[vstinner]

LGTM. Should we backport this change to 3.13 and 3.14?

[hartwork]

LGTM.

@vstinner thank you!

Should we backport this change to 3.13 and 3.14?

I have a feeling the question is probably more towards other Python core devs. If you decide for it and @bedevere-bot has trouble auto-cherry-picking, I'll be happy to help with a manual backbort.

[serhiy-storchaka]

If it is worth to be committed in main, it should be backported.

[hartwork]

Ready to merge?

[miss-islington-app]

Thanks @hartwork for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

[bedevere-app]

GH-141065 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-141066 is a backport of this pull request to the 3.13 branch.

[hartwork]

@serhiy-storchaka thank you! 🙏

[serhiy-storchaka]

Thank you for your contribution.