def test_dtd(self): """ Any DTD urls must fail by default. """ xml = '<!DOCTYPE x SYSTEM "file:///etc/group"><x>Remote DTD 1</x>' with self.assertRaises(defusedxml.DTDForbidden): self.fromstring(xml.strip())
def test_param_entity(self): """ Ensure that any xml params that are decdoed into SYSTEM entities fail. """ xml = """ <!DOCTYPE x [ <!ENTITY % foo SYSTEM "file:///etc/group"> %foo; ]> <x>Parameter entity 1</x> """ with self.assertRaises(defusedxml.EntitiesForbidden): self.fromstring(xml.strip(), forbid_dtd=False)
def test_system_entity(self): """ Ensure that any SYSTEM entities fail by default """ xml = """ <!DOCTYPE x [ <!ENTITY foo SYSTEM "file:///etc/group"> ]> <x>External entity 1: &foo;</x> """ with self.assertRaises(defusedxml.EntitiesForbidden): self.fromstring(xml.strip(), forbid_dtd=False)