Changelogs » Defusedxml

PyUp Safety actively tracks 373,221 Python packages for vulnerabilities and notifies you when to upgrade.



  - Drop support for Python 2.7, 3.4, and 3.5.
  - Add ``defusedxml.ElementTree.fromstringlist()``
  - Fix regression ``defusedxml.ElementTree.ParseError`` (63)
  The ``ParseError`` exception is now the same class object as
  ``xml.etree.ElementTree.ParseError`` again.


  *Release date: 4-Mar-2021*
  - No changes


  *Release date: 12-Jan-2021*
  - Re-add and deprecate ``defusedxml.cElementTree``
  - Use GitHub Actions instead of TravisCI
  - Restore ``ElementTree`` attribute of ``xml.etree`` module after patching


  *Release date: 04-May-2020*
  - Add support for Python 3.9
  - ``defusedxml.cElementTree`` is not available with Python 3.9.
  - Python 2 is deprecate. Support for Python 2 will be removed in 0.8.0.


  *Release date: 17-Apr-2019*
  - Increase test coverage.
  - Add badges to README.


  *Release date: 14-Apr-2019*
  - Test on Python 3.7 stable and 3.8-dev
  - Drop support for Python 3.4
  - No longer pass *html* argument to XMLParse. It has been deprecated and
  ignored for a long time. The DefusedXMLParser still takes a html argument.
  A deprecation warning is issued when the argument is False and a TypeError
  when it's True.
  - defusedxml now fails early when pyexpat stdlib module is not available or
  - defusedxml.ElementTree.__all__ now lists ParseError as public attribute.
  - The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo
  and used XMLParse instead of XMLParser as an alias for DefusedXMLParser.
  Both the old and fixed name are now available.


  *Release date: 07-Feb-2017*
  - No changes


  *Release date: 28-Jan-2017*
  - Add compatibility with Python 3.6
  - Drop support for Python 2.6, 3.1, 3.2, 3.3
  - Fix lxml tests (XMLSyntaxError: Detected an entity reference loop)


  *Release date: 28-Mar-2013*
  - Add more demo exploits, e.g. and Xalan XSLT demos.
  - Improved documentation.


  *Release date: 25-Feb-2013*
  - As per please REJECT
  CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664,
  CVE-2013-1665 for OpenStack/etc.
  - Add missing parser_list argument to sax.make_parser(). The argument is
  ignored, though. (thanks to Florian Apolloner)
  - Add demo exploit for external entity attack on Python's SAX parser, XML-RPC
  and WebDAV.

0.3 not secure

  *Release date: 19-Feb-2013*
  - Improve documentation


  *Release date: 15-Feb-2013*
  - Rename ExternalEntitiesForbidden to ExternalReferenceForbidden
  - Rename defusedxml.lxml.check_dtd() to check_docinfo()
  - Unify argument names in callbacks
  - Add arguments and formatted representation to exceptions
  - Add forbid_external argument to all functions and classes
  - More tests
  - LOTS of documentation
  - Add example code for other languages (Ruby, Perl, PHP) and parsers (Genshi)
  - Add protection against XML and gzip attacks to xmlrpclib


  *Release date: 08-Feb-2013*
  - Initial and internal release for PSRT review