because rdflib is intended to parse remote XML it should use defusedxml by default

[graingert]

"The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred Bytes of XML data an attacker can occupy several Gigabytes of memory within seconds. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties."

https://pypi.python.org/pypi/defusedxml

[joernhees]

👍
i like the idea of hardening rdflib a bit, but as always, there is a trade-off between hardening, usability and maintainability.
We should discuss to what degree it is rdflib's job to protect you from evil input.
The extremes go from "it's not rdflib's fault if you feed it evil data, do all the checks yourself in advance" to "feed rdflib whatever you like, you won't be able to break it".

[ghost]

👍