IMPROVEMENT: use defusedxml because it is safer

ArduPilot · Jun 16, 2024 · 601ad32 · 601ad32
1 parent 69740b8
commit 601ad32
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/MethodicConfigurator/annotate_params.py b/MethodicConfigurator/annotate_params.py
@@ -30,7 +30,10 @@
 from sys import exc_info as sys_exc_info
 from sys import exit as sys_exit
 from typing import Any, Dict, List, Optional, Tuple
-import xml.etree.ElementTree as ET
+
+from xml.etree import ElementTree as ET
+from defusedxml import ElementTree as DET
+
 import argparse
 import logging
 
@@ -341,7 +344,7 @@ def get_xml_data(base_url: str, directory: str, filename: str) -> ET.Element:
             raise SystemExit("permission denied to write online XML documentation to file") from e
 
     # Parse the XML data
-    root = ET.fromstring(xml_data)
+    root = DET.fromstring(xml_data)
 
     # Load parameter default values if the 00_default.param file exists
     try:

diff --git a/setup.py b/setup.py
@@ -84,6 +84,7 @@
     author_email='[email protected]',
     packages=find_packages(),
     install_requires=[
+        'defusedxml',
         'matplotlib',
         'numpy',
         'platformdirs',