Use Safe Parsers in `lxml` Parsing Functions #8

pixeebot · 2025-08-02T03:40:42Z

This codemod sets the parser parameter in calls to lxml.etree.parse and lxml.etree.fromstring if omitted or set to None (the default value). Unfortunately, the default parser=None means lxml will rely on an unsafe parser, making your code potentially vulnerable to entity expansion attacks and external entity (XXE) attacks.

The changes look as follows:

  import lxml.etree
- lxml.etree.parse("path_to_file")
- lxml.etree.fromstring("xml_str")
+ lxml.etree.parse("path_to_file", parser=lxml.etree.XMLParser(resolve_entities=False))
+ lxml.etree.fromstring("xml_str", parser=lxml.etree.XMLParser(resolve_entities=False))

More reading

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/safe-lxml-parsing

pixeebot · 2025-08-10T03:01:58Z

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

pixeebot · 2025-08-11T03:01:20Z

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

Use Safe Parsers in lxml Parsing Functions

9ca65e9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use Safe Parsers in `lxml` Parsing Functions #8

Use Safe Parsers in `lxml` Parsing Functions #8

Uh oh!

pixeebot bot commented Aug 2, 2025

Uh oh!

pixeebot bot commented Aug 10, 2025

Uh oh!

pixeebot bot commented Aug 11, 2025

Uh oh!

Uh oh!

Use Safe Parsers in lxml Parsing Functions #8

Are you sure you want to change the base?

Use Safe Parsers in lxml Parsing Functions #8

Uh oh!

Conversation

pixeebot bot commented Aug 2, 2025

Uh oh!

pixeebot bot commented Aug 10, 2025

Uh oh!

pixeebot bot commented Aug 11, 2025

Uh oh!

Uh oh!

Use Safe Parsers in `lxml` Parsing Functions #8

Use Safe Parsers in `lxml` Parsing Functions #8