Vulnerability to XML attacks

[ChakshuGupta13]

B410: import_lxml

Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.

[PetrVys]

Hello,

Thanks for the scan. I believe this is a false positive, since Tkd-Alex used lxml.etree (external library) and not xml.etree (internal Python C implementation). Lxml is a new implementation and to the best of my (limited) knowledge it is regularly updated and safe to use.

[ChakshuGupta13]

You're right about xml.etree - I confused it with lxml. But concern about lxml still stands. I have updated issue description with relevant link and reference; may that will help clarify.

[PetrVys]

Ok, I stand corrected :-)

I'll add it to the queue - in the meantime it's definitely not a serious issue, stealing data from malformed XMP tag into another offline picture is a very unlikely scenario ^_^