xml.rst - OpenGrok cross reference for /external/python/cpython3/Doc/library/xml.rst

Lines Matching +full:- +full:- +full:xml
3 XML Processing Modules
6 .. module:: xml
7    :synopsis: Package containing XML processing modules
12 **Source code:** :source:`Lib/xml/`
14 --------------
16 Python's interfaces for processing XML are grouped in the ``xml`` package.
20    The XML modules are not secure against erroneous or maliciously
22    unauthenticated data see the :ref:`xml-vulnerabilities` and
23    :ref:`defusedxml-package` sections.
25 It is important to note that modules in the :mod:`xml` package require that
26 there be at least one SAX-compliant XML parser available. The Expat parser is
27 included with Python, so the :mod:`xml.parsers.expat` module will always be
30 The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the
33 The XML handling submodules are:
35 * :mod:`xml.etree.ElementTree`: the ElementTree API, a simple and lightweight
36   XML processor
40 * :mod:`xml.dom`: the DOM API definition
41 * :mod:`xml.dom.minidom`: a minimal DOM implementation
42 * :mod:`xml.dom.pulldom`: support for building partial DOM trees
46 * :mod:`xml.sax`: SAX2 base classes and convenience functions
47 * :mod:`xml.parsers.expat`: the Expat parser binding
50 .. _xml-vulnerabilities:
52 XML vulnerabilities
53 -------------------
55 The XML processing modules are not secure against maliciously constructed data.
56 An attacker can abuse XML features to carry out denial of service attacks,
75    potential reliance on system-provided libraries. Check
77 2. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
79 3. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
87   The `Billion Laughs`_ attack -- also known as exponential entity expansion --
102   also point to external resources or local files. The XML
103   parser accesses the resource and embeds the content into the XML document.
106   Some XML libraries like Python's :mod:`xml.dom.pulldom` retrieve document type
111   Decompression bombs (aka `ZIP bomb`_) apply to all XML libraries
112   that can parse compressed XML streams such as gzipped HTTP streams or
113   LZMA-compressed
120 .. _defusedxml-package:
123 ------------------------------------------------------
126 XML parsers that prevent any potentially malicious operation. Use of this
127 package is recommended for any server code that parses untrusted XML data. The
129 XML exploits such as XPath injection.