From 569c3a28e662ccef251acc6494047ec9c83556c2 Mon Sep 17 00:00:00 2001 From: Tom Christie Date: Fri, 22 Feb 2013 19:41:09 +0000 Subject: [PATCH] Add forbid_dtd flag, since we don't need any DTDs. --- rest_framework/parsers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rest_framework/parsers.py b/rest_framework/parsers.py index 7bbb5f940..491acd68c 100644 --- a/rest_framework/parsers.py +++ b/rest_framework/parsers.py @@ -152,7 +152,7 @@ class XMLParser(BaseParser): encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET) parser = etree.DefusedXMLParser(encoding=encoding) try: - tree = etree.parse(stream, parser=parser) + tree = etree.parse(stream, parser=parser, forbid_dtd=True) except (etree.ParseError, ValueError) as exc: raise ParseError('XML parse error - %s' % six.u(exc)) data = self._xml_convert(tree.getroot())