Explore Enterprise Education Gitee Premium Gitee AI AI teammates
Fetch the repository succeeded.
Create your Gitee Account
Explore and code with more than 14 million developers,Free private repositories !:)
Sign up
Already have an account? Sign in
文件
master
Branches (1)
master
master
Branches (1)
master
Clone or Download
Clone/Download
Prompt
To download the code, please copy the following command and execute it in the terminal
To ensure that your submitted code identity is correctly recognized by Gitee, please execute the following command.
When using the SSH protocol for the first time to clone or push code, follow the prompts below to complete the SSH configuration.
1 Generate RSA keys.
2 Obtain the content of the RSA public key and configure it in SSH Public Keys
To use SVN on Gitee, please visit the usage guide
When using the HTTPS protocol, the command line will prompt for account and password verification as follows. For security reasons, Gitee recommends configure and use personal access tokens instead of login passwords for cloning, pushing, and other operations.
Username for 'https://gitee.com': userName
Password for 'https://userName@gitee.com': # Private Token
master
Branches (1)
master
xml.rst 5.92 KB
Copy Edit Raw Blame History
zhangweibo authored 2021年11月16日 09:46 +08:00 . git init

XML Processing Modules

.. module:: xml
 :synopsis: Package containing XML processing modules

.. sectionauthor:: Christian Heimes <christian@python.org>
.. sectionauthor:: Georg Brandl <georg@python.org>

Source code: :source:`Lib/xml/`


Python's interfaces for processing XML are grouped in the xml package.

Warning

The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the :ref:`xml-vulnerabilities` and :ref:`defused-packages` sections.

It is important to note that modules in the :mod:`xml` package require that there be at least one SAX-compliant XML parser available. The Expat parser is included with Python, so the :mod:`xml.parsers.expat` module will always be available.

The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the definition of the Python bindings for the DOM and SAX interfaces.

The XML handling submodules are:

XML vulnerabilities

The XML processing modules are not secure against maliciously constructed data. An attacker can abuse XML features to carry out denial of service attacks, access local files, generate network connections to other machines, or circumvent firewalls.

The following table gives an overview of the known attacks and whether the various modules are vulnerable to them.

kind sax etree minidom pulldom xmlrpc
billion laughs Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
quadratic blowup Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
external entity expansion Safe (4) Safe (1) Safe (2) Safe (4) Safe (3)
:mod:`xml.etree.ElementTree` doesn't expand external entities and raises a :exc:`ParserError` when an entity occurs.
  • :mod:`xml.dom.minidom` doesn't expand external entities and simply returns the unexpanded entity verbatim.
  • :mod:`xmlrpclib` doesn't expand external entities and omits them.
  • Since Python 3.7.1, external general entities are no longer processed by default.
  • billion laughs / exponential entity expansion
    The Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering parser countermeasures that forbid deeply-nested entities.
    external entity expansion
    Entity declarations can contain more than just text for replacement. They can also point to external resources or local files. The XML parser accesses the resource and embeds the content into the XML document.
    :mod:`xml.dom.pulldom` retrieve document type definitions from remote or local locations. The feature has similar implications as the external entity expansion issue.
    decompression bomb
    Decompression bombs (aka defusedxml on PyPI has further information about all known attack vectors with examples and references.

    The :mod:`defusedxml` and :mod:`defusedexpat` Packages

    defusedexpat provides a modified libexpat and a patched :mod:`pyexpat` module that have countermeasures against entity expansion DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity expansions. The modifications may be included in some future release of Python, but will not be included in any bugfix releases of Python because they break backward compatibility.

    Loading...
    Report
    Report success
    We will send you the feedback within 2 working days through the letter!
    Please fill in the reason for the report carefully. Provide as detailed a description as possible.
    Please select a report type
    Cancel
    Send
    误判申诉

    此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。

    如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。

    取消
    提交

    About

    Cancel

    Releases

    No release

    Contributors

    All

    Language(Optional)

    Activities

    can not load any more
    Edit
    About
    Homepage
    马建仓 AI 助手
    尝试更多
    代码解读
    代码找茬
    代码优化
    1
    https://gitee.com/python_sourcecode/python3.8.1.git
    git@gitee.com:python_sourcecode/python3.8.1.git
    python_sourcecode
    python3.8.1
    python3.8.1
    master
    Login prompt
    This operation requires login to the code cloud account. Please log in before operating.
    Go to login
    No account. Register

    AltStyle によって変換されたページ (->オリジナル) /