From ccf427b4a0153068f79beacb7a3492758b5c7148 Mon Sep 17 00:00:00 2001 From: Wu Tingfeng Date: Wed, 31 Dec 2025 15:22:37 +0800 Subject: [PATCH 1/2] use defusedxml for sax.parse(). --- pre_commit_hooks/check_xml.py | 6 +++++- setup.cfg | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pre_commit_hooks/check_xml.py b/pre_commit_hooks/check_xml.py index ff5536b5..9040a2a5 100644 --- a/pre_commit_hooks/check_xml.py +++ b/pre_commit_hooks/check_xml.py @@ -4,6 +4,10 @@ import xml.sax.handler from collections.abc import Sequence +import defusedxml + +defusedxml.defuse_stdlib() + def main(argv: Sequence[str] | None = None) -> int: parser = argparse.ArgumentParser() @@ -15,7 +19,7 @@ def main(argv: Sequence[str] | None = None) -> int: for filename in args.filenames: try: with open(filename, 'rb') as xml_file: - xml.sax.parse(xml_file, handler) + defusedxml.sax.parse(xml_file, handler) except xml.sax.SAXException as exc: print(f'{filename}: Failed to xml parse ({exc})') retval = 1 diff --git a/setup.cfg b/setup.cfg index d91f4399..1712b825 100644 --- a/setup.cfg +++ b/setup.cfg @@ -18,6 +18,7 @@ classifiers = [options] packages = find: install_requires = + defusedxml>=0.7.1 ruamel.yaml>=0.15 tomli>=1.1.0;python_version<"3.11" python_requires = >=3.10 From 4883a7a257f89ce8a1ab47b8f517ba56994ddb5d Mon Sep 17 00:00:00 2001 From: Wu Tingfeng Date: Wed, 31 Dec 2025 15:28:02 +0800 Subject: [PATCH 2/2] use latest defusedxml. --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index 1712b825..819a8eef 100644 --- a/setup.cfg +++ b/setup.cfg @@ -18,7 +18,7 @@ classifiers = [options] packages = find: install_requires = - defusedxml>=0.7.1 + defusedxml>=0.8.0rc2 ruamel.yaml>=0.15 tomli>=1.1.0;python_version<"3.11" python_requires = >=3.10