Skip to content

suspicious-lxml-import (S410)#

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does#

Checks for imports of thelxml module.

Why is this bad?#

Using various methods from the lxml module to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.

Example#

import lxml