What should we do with XML attacks?

Because Python is a lot of fun, all of its native xml parsers are vulnerable to various attacks. We're trying to write a decent software, so this is not acceptable.

Everyone is recommending defusedxml, but I'm not too keen on adding a dependency not updated since 5 years to parse XML. Also, the etree monkey-patching looks scary.

An other way to go would be to monkey-patch ourselves the etree code, since it's only vulnerable to two attacks, we'll only have to disable entity expansion support.

Thoughts?

Admin message

What should we do with XML attacks?