Skip to content

Commit

Permalink
oxml: don't resolve XML entities in oxml_parser
Browse files Browse the repository at this point in the history 
Resolving entities in the XML is not required by the Open XML standard
and represents a security vulnerability. Turn off entity resolution in
both the opc (package) parser and the part parser.
  • Loading branch information
Steve Canny committed Apr 10, 2016
1 parent 19b1664 commit 61b40b1
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion docx/opc/oxml.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

# configure XML parser
element_class_lookup = etree.ElementNamespaceClassLookup()
oxml_parser = etree.XMLParser(remove_blank_text=True)
oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
oxml_parser.set_element_class_lookup(element_class_lookup)

nsmap = {
Expand Down
2 changes: 1 addition & 1 deletion docx/oxml/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

# configure XML parser
element_class_lookup = etree.ElementNamespaceClassLookup()
oxml_parser = etree.XMLParser(remove_blank_text=True)
oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
oxml_parser.set_element_class_lookup(element_class_lookup)


Expand Down

0 comments on commit 61b40b1

Please # to comment.