Contact

Open danielelkabes opened this issue 4 years ago • 1 comments

Hi team,

I've contacted you via email, please let me know if you've received my email.

Thanks

Feb 04 '21 13:02 danielelkabes

Hi @danielelkabes the pull request #14 discusses the potential security issue you raised via email where XML docs with entity references to local files could be parsed by the lxml implementation to expose the contents of arbitrary local files.

I'm still not sure this is a realistic enough attack vector to apply the hacky work-around I came up with in #14 which is I think the only remediation possible currently for lxml. But I'm open to be persuaded that this fix, or a better one, should be merged and the library updated.

Feb 12 '21 11:02 jmurty