weaver.xml_util

Define a default XML parser that avoids XXE injection.

Package lxml is employed directly even though some linters (e.g.: bandit) report to employ defusedxml instead, because that package’s extension with lxml is marked as deprecated.

See also

https://github.com/tiran/defusedxml/tree/main#defusedxmllxml

To use the module, import is as if importing lxml.etree:

from weaver.xml_util import XML  # ElementTree
from weaver import xml_util

data = xml_util.fromstring("<xml>content</xml>")

Module Contents

weaver.xml_util.XML_PARSER[source]
weaver.xml_util.tostring[source]
weaver.xml_util.Element[source]
weaver.xml_util.ParseError[source]
weaver.xml_util.XML[source]
weaver.xml_util.XMLTree[source]
weaver.xml_util._lxml_fromstring[source]
weaver.xml_util.fromstring(text: AnyStr, parser: lxml.etree.XMLParser = XML_PARSER) XML[source]
weaver.xml_util.parse(source: str | io.BufferedReader, parser: lxml.etree.XMLParser = XML_PARSER) XMLTree[source]
weaver.xml_util.HTML[source]
weaver.xml_util._lxml_tree_parser_maker(**parser_kwargs: Any) lxml.etree.HTMLParser[source]

Generate the XML/HTML tree parser.

Uses similar parameters as in bs4.builder._lxml.LXMLTreeBuilderForXML.default_parser(), but overriding some other options to make it more secure.

Without this modification, the builder is usually created using:

etree.XMLParser(target=self, strip_cdata=False, recover=True, encoding=encoding)
weaver.xml_util.HTML_PARSER[source]
weaver.xml_util.HTML_TREE_BUILDER[source]
weaver.xml_util.LXML_TREE_BUILDER[source]