We already debated this in https://review.openstack.org/#/c/311857/ All the lessons learned from DefusedXML was already incorporated in various python packages. You can test this theory out by using the test xml(s) in DefusedXML if you wish. Also note that there have been no changes to the source code since 2013 (https://bitbucket.org/tiran/defusedxml/commits/branch/default) Thanks, Dims On Tue, Sep 27, 2016 at 1:24 PM, Travis McPeak <travis.mcpeak at gmail.com> wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) that > can be performed when XML is parsed from untrusted input. DefusedXML offers > safe alternatives to XML parsing libraries but is not currently part of > global requirements. > > I propose adding DefusedXML to global requirements so that projects have an > option for safe XML parsing. Does anybody have any thoughts or objections? > > Thanks, > -Travis > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims