From 61b40b161b64173ab8e362aec1fd197948431beb Mon Sep 17 00:00:00 2001
From: Steve Canny <scanny@cisco.com>
Date: Sat, 9 Apr 2016 18:31:57 -0700
Subject: [PATCH] oxml: don't resolve XML entities in oxml_parser

Resolving entities in the XML is not required by the Open XML standard
and represents a security vulnerability. Turn off entity resolution in
both the opc (package) parser and the part parser.
---
 docx/opc/oxml.py      | 2 +-
 docx/oxml/__init__.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docx/opc/oxml.py b/docx/opc/oxml.py
index 0c09312b5..494b31dca 100644
--- a/docx/opc/oxml.py
+++ b/docx/opc/oxml.py
@@ -16,7 +16,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)
 
 nsmap = {
diff --git a/docx/oxml/__init__.py b/docx/oxml/__init__.py
index 3e320a217..a96cfc1b4 100644
--- a/docx/oxml/__init__.py
+++ b/docx/oxml/__init__.py
@@ -14,7 +14,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)