diff options
-rw-r--r-- | CHANGES.txt | 1 | ||||
-rw-r--r-- | README.txt | 3 | ||||
-rw-r--r-- | defusedxml/lxml.py | 5 | ||||
-rw-r--r-- | tests.py | 18 |
4 files changed, 24 insertions, 3 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 7845644..f50624e 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -20,6 +20,7 @@ defusedxml 0.6.0.dev1 Both the old and fixed name are now available. + defusedxml 0.5.0 ---------------- @@ -347,6 +347,9 @@ modify the default by changing the module variable `MAX_DATA`. A value of defusedxml.lxml --------------- +**DEPRECATED** The module is deprecated and will be removed in a future +release. + The module acts as an *example* how you could protect code that uses lxml.etree. It implements a custom Element class that filters out Entity instances, a custom parser factory and a thread local storage for diff --git a/defusedxml/lxml.py b/defusedxml/lxml.py index f16256f..6d31f63 100644 --- a/defusedxml/lxml.py +++ b/defusedxml/lxml.py @@ -3,7 +3,7 @@ # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. # See https://www.python.org/psf/license for licensing details. -"""Example code for lxml.etree protection +"""DEPRECATED Example code for lxml.etree protection The code has NO protection against decompression bombs. """ @@ -26,7 +26,8 @@ tostring = _etree.tostring warnings.warn( "defusedxml.lxml is no longer supported and will be removed in a " "future release.", - category=DeprecationWarning + category=DeprecationWarning, + stacklevel=2 ) @@ -22,14 +22,24 @@ try: except ImportError: gzip = None + +if sys.version_info < (3, 7): + warnings.filterwarnings( + 'once', + category=DeprecationWarning + ) + + try: - from defusedxml import lxml + with warnings.catch_warnings(record=True) as lxml_warnings: + from defusedxml import lxml from lxml.etree import XMLSyntaxError LXML3 = lxml.LXML3 except ImportError: lxml = None XMLSyntaxError = None LXML3 = False + lxml_warnings = None warnings.filterwarnings( @@ -38,6 +48,7 @@ warnings.filterwarnings( module=r"defusedxml\..*" ) + HERE = os.path.dirname(os.path.abspath(__file__)) # prevent web access @@ -390,6 +401,11 @@ class TestDefusedLxml(BaseTests): self.assertEqual(len(elements), 1) self.assertEqual(elements, list(root)[:1]) + def test_lxml_warnings(self): + self.assertTrue(lxml_warnings) + self.assertEqual(lxml_warnings[0].category, DeprecationWarning) + self.assertIn('tests.py', lxml_warnings[0].filename) + class XmlRpcTarget(object): |