Skip to content

gh-139478: Add warning about lack of validation for xml.sax.saxutils.XMLGenerator#139479

Open
sethmlarson wants to merge 5 commits intopython:mainfrom
sethmlarson:xml-sax-untrusted-input-warning
Open

gh-139478: Add warning about lack of validation for xml.sax.saxutils.XMLGenerator#139479
sethmlarson wants to merge 5 commits intopython:mainfrom
sethmlarson:xml-sax-untrusted-input-warning

Conversation

@sethmlarson
Copy link
Copy Markdown
Contributor

@sethmlarson sethmlarson commented Oct 1, 2025
edited by github-actions bot
Loading

@bedevere-app bedevere-app bot added the docs Documentation in the Doc dir label Oct 1, 2025
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Oct 1, 2025
@bedevere-app bedevere-app bot mentioned this pull request Oct 1, 2025
Open
StanFromIreland
StanFromIreland reviewed Oct 1, 2025
View reviewed changes
@sethmlarson @StanFromIreland
Commit suggestion from code review
87080f7 
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
@sethmlarson @picnixz
Commit suggestion from code review
e845206 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@picnixz
Copy link
Copy Markdown
Member

picnixz commented Oct 1, 2025

My comment got hidden because of the resolved conversation:

Also, I would instead put the warning after the class description (before the versionchanged). The rationale is that when reading the warning box, we still don't know what this class do.

@sethmlarson
Copy link
Copy Markdown
Contributor Author

sethmlarson commented Oct 1, 2025

Thanks for the suggestion @picnixz, I've moved the warning in 4b4c15a

@sethmlarson
Copy link
Copy Markdown
Contributor Author

sethmlarson commented Oct 1, 2025

@serhiy-storchaka I changed the warning to a note about intended usage here: cbe0c12 please take a look.

hugovk
hugovk approved these changes Oct 1, 2025
View reviewed changes
Doc/library/xml.sax.utils.rst
Comment on lines +76 to +77
with SAX parser functions from the :mod:`!xml.sax` module. Using XMLGenerator
on untrusted user inputs is not the intended use.
Copy link
Copy Markdown
Member

@hugovk hugovk Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
with SAX parser functions from the :mod:`!xml.sax` module. Using XMLGenerator
on untrusted user inputs is not the intended use.
with SAX parser functions from the :mod:`!xml.sax` module. Using
:class:`!XMLGenerator` on untrusted user inputs is not the intended use.

vstinner
vstinner reviewed Oct 2, 2025
View reviewed changes
Doc/library/xml.sax.utils.rst
.. note::
:class:`!XMLGenerator` is only intended to be used as a ``handler``
with SAX parser functions from the :mod:`!xml.sax` module. Using XMLGenerator
on untrusted user inputs is not the intended use.
Copy link
Copy Markdown
Member

@vstinner vstinner Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"is only intended to be used": Ok, but what are the consequences if the class is misused? It's unclear to me what are the risks.

Copy link
Copy Markdown
Member

@merwok merwok Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

XML injections: martinblech/xmltodict#377 (comment)

serhiy-storchaka
serhiy-storchaka reviewed Oct 2, 2025
View reviewed changes
Doc/library/xml.sax.utils.rst
Comment on lines +75 to +77
:class:`!XMLGenerator` is only intended to be used as a ``handler``
with SAX parser functions from the :mod:`!xml.sax` module. Using XMLGenerator
on untrusted user inputs is not the intended use.
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this form it simply reiterates what was said in the previous paragraph.

Even if this was not intended, people use XMLGenerator for generating XML. If it worked for them, it is fine. They should be aware about pitfalls. But I suggest adding such notes/warnings in other places that are used to generate XML first or simultaneously with XMLGenerator. They all should use unified wording. We can keep a short reminder that this is not intended use of XMLGenerator, the rest of the note should be similar to other notes.

I propose also to add helpers to validate names (#139489). Since this is a new feature, we cannot refer it the documentation changes that will be backported, but keep in mind that we can add references later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner vstinner left review comments

@merwok merwok merwok left review comments

@serhiy-storchaka serhiy-storchaka serhiy-storchaka left review comments

@StanFromIreland StanFromIreland StanFromIreland left review comments

@hugovk hugovk hugovk approved these changes

@picnixz picnixz picnixz approved these changes

Assignees

No one assigned

Labels

awaiting merge docs Documentation in the Doc dir

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@sethmlarson @picnixz @vstinner @merwok @hugovk @serhiy-storchaka @StanFromIreland @nazeerali4325-commits