Do you think the table should be kept, now that it saysSafe almost everywhere?

Do you think the table should be kept, now that it says Safe almost everywhere?

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

The question is more if we need to keep the big red warning at the top:

The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the XML vulnerabilities and The defusedxml Package sections.

Maybe this warning can just be removed.

Since Python XML modules are now safe by default, we can maybe remove references to the defusedxml project which is no longer needed.

Note: The latest defused version (0.7.0) was released in 2021. There is a 0.8.0rc2 version around since September 2023 with no final release. The project seems to be unmaintained (latest commit: 2 years ago).

I updated my PR to remove the red warning and remove references to defusedxml.

There are similar warnings in several other files, e.g.:

Doc/library/xml.etree.elementtree.rstDoc/library/xml.dom.pulldom.rstDoc/library/xml.dom.minidom.rstDoc/library/xml.sax.rst

There are similar warnings in several other files

Good catch. I replaced most warnings with notes. I replaced also "XML Vulnerabilities" with "XML Security".

I kept the warnings for XML-RPC client and server since the XML table still says that XML-RPC is vulnerable to decompression bomb.

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

So maybe the whole table, and the list of vulnerabilities, could be replaced with something like: “Expat versions lower that 2.6.0 may be vulnerable to :cve:xxx-xxx and :cve:xxx-xxx. Python may be vulnerable if it uses such older versions of Expat as a system-provided library, it may be vulnerable. Check :const:!pyexpat.EXPAT_VERSION.”
and maybe a link to defusedxml for details?

@sethmlarson, is it OK to remove the note “The XML processing modules arenot secure against maliciously constructed data”, if allknown vulnerabilities are fixed?

On Linux, Python is usually linked to the system expat library, and so we don't control the expat version. For this reason, I would prefer to keep the table for now. The table contains a lot of information and has many notes.