Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DUO107 whitelist from xml.etree.ElementTree import Element, SubElement #28

Closed
hm34306 opened this issue Apr 15, 2020 · 1 comment
Closed

Comments

@hm34306
Copy link

hm34306 commented Apr 15, 2020

defusedxml is not capable of creating Element or SubElement

Whitelisting in bad_xml_use.py

@property
    def whitelisted_modules(self):
        return [
            'xml.sax.saxutils',
            'xml.etree.ElementTree.Element',
            'xml.etree.ElementTree.SubElement',
        ]

would help solve this.

A work around could then be used as follows:

from xml.etree.ElementTree import Element, SubElement

import defusedxml.ElementTree as ET

ET.Element = _ElementType = Element
ET.SubElement = SubElement

Note that we still disallow

from xml.etree.ElementTree import parse
@mschwager
Copy link
Contributor

Interesting, thanks for opening this issue! I'll take a look and get back to you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants