What should we do with XML attacks?
Because Python is a lot of fun, all of its native xml parsers are vulnerable to various attacks. We're trying to write a decent software, so this is not acceptable.
Everyone is recommending defusedxml, but I'm not too keen on adding a dependency not updated since 5 years to parse XML. Also, the etree
monkey-patching looks scary.
An other way to go would be to monkey-patch ourselves the etree
code, since it's only vulnerable to two attacks, we'll only have to disable entity expansion support.
Thoughts?