There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) that can be performed when XML is parsed from untrusted input. DefusedXML offers safe alternatives to XML parsing libraries but is not currently part of global requirements. I propose adding DefusedXML to global requirements so that projects have an option for safe XML parsing. Does anybody have any thoughts or objections? Thanks, -Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160927/8083a58b/attachment.html>