bpo-17239: Disable external entities in SAX parser (GH-9217) The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239

commit: 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 [log] [tgz]
author: Christian Heimes <christian@python.org> Sun Sep 23 09:50:25 2018 +0200
committer: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Sun Sep 23 00:50:25 2018 -0700
tree: 486acd3328d5e607bd05936fdfb73eb548d4fa90
parent: 9fb051f032c36b9f6086b79086b4d6b7755a3d70 [diff] [blame]
diff --git a/Doc/library/xml.dom.pulldom.rst b/Doc/library/xml.dom.pulldom.rst
index 56f545c..eb2b16b 100644
--- a/Doc/library/xml.dom.pulldom.rst
+++ b/Doc/library/xml.dom.pulldom.rst

@@ -25,6 +25,20 @@
    maliciously constructed data.  If you need to parse untrusted or
    unauthenticated data see :ref:`xml-vulnerabilities`.
 
+.. versionchanged:: 3.8
+
+   The SAX parser no longer processes general external entities by default to
+   increase security by default. To enable processing of external entities,
+   pass a custom parser instance in::
+
+      from xml.dom.pulldom import parse
+      from xml.sax import make_parser
+      from xml.sax.handler import feature_external_ges
+
+      parser = make_parser()
+      parser.setFeature(feature_external_ges, True)
+      parse(filename, parser=parser)
+
 
 Example::
commit	17b1d5d4e36aa57a9b25a0e694affbd1ee637e45	[log] [tgz]
author	Christian Heimes <christian@python.org>	Sun Sep 23 09:50:25 2018 +0200
committer	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	Sun Sep 23 00:50:25 2018 -0700
tree	486acd3328d5e607bd05936fdfb73eb548d4fa90
parent	9fb051f032c36b9f6086b79086b4d6b7755a3d70 [diff] [blame]