Hi, The Python bug tracker is full of bugs, and sadly we don't have enough people to take care of all of them. There are 3 open bugs about security issues in XML and I simply propose to close it:
https://bugs.python.org/issue17318 https://bugs.python.org/issue17239 https://bugs.python.org/issue24238 The XML documentation already starts with a red warning explaining the security limitations of the Python implementation and points to defusedxml and defusedexpat which are existing and working counter-measures: https://docs.python.org/dev/library/xml.html Note: Christian Heimes, author of these 2 packages, told me that these modules may not work on Python 3.7, he didn't have time to maintain them recently. Maybe someone might want to help him? I suggest to close the 3 Python bugs without doing anything. Are you ok with that? Keeping the issue open for 3 years doesn't help anyone, and there is already a security warning in all supported version (I checked 2.7 and 3.4). It seems like XML is getting less popular because of JSON becoming more popular (even if JSON obviously comes with its own set of security issues...). It seems like less core developers care about XML (today than 3 years ago). We should just accept that core developers have limited availability and that documenting security issues is an *acceptable* trade-off. I don't see any value of keeping these 3 issues open. Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
