Add forbid_dtd flag, since we don't need any DTDs.

2025-10-26 05:31:07 +03:00 · 2013-02-22 19:41:09 +00:00 · 2013-02-22 19:41:09 +00:00 · 569c3a28e6
commit 569c3a28e6
parent dcee027fa9
1 changed files with 1 additions and 1 deletions
--- a/rest_framework/parsers.py
+++ b/rest_framework/parsers.py
@ -152,7 +152,7 @@ class XMLParser(BaseParser):
        encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
        parser = etree.DefusedXMLParser(encoding=encoding)
        try:
-            tree = etree.parse(stream, parser=parser)
+            tree = etree.parse(stream, parser=parser, forbid_dtd=True)
        except (etree.ParseError, ValueError) as exc:
            raise ParseError('XML parse error - %s' % six.u(exc))
        data = self._xml_convert(tree.getroot())