Add forbid_dtd flag, since we don't need any DTDs.

author: Tom Christie 2013-02-22 19:41:09 +0000
committer: Tom Christie 2013-02-22 19:41:09 +0000
commit: 569c3a28e662ccef251acc6494047ec9c83556c2 (patch)
tree: c89979b38164bfc7df838a15f9ee4f8e9459217d
parent: dcee027fa97f015ff3b87f0fd72b7995cdd6e155 (diff)
download: django-rest-framework-569c3a28e662ccef251acc6494047ec9c83556c2.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/rest_framework/parsers.py b/rest_framework/parsers.py
index 7bbb5f94..491acd68 100644
--- a/rest_framework/parsers.py
+++ b/rest_framework/parsers.py
@@ -152,7 +152,7 @@ class XMLParser(BaseParser):
         encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET)
         parser = etree.DefusedXMLParser(encoding=encoding)
         try:
-            tree = etree.parse(stream, parser=parser)
+            tree = etree.parse(stream, parser=parser, forbid_dtd=True)
         except (etree.ParseError, ValueError) as exc:
             raise ParseError('XML parse error - %s' % six.u(exc))
         data = self._xml_convert(tree.getroot())
author	Tom Christie	2013-02-22 19:41:09 +0000
committer	Tom Christie	2013-02-22 19:41:09 +0000
commit	569c3a28e662ccef251acc6494047ec9c83556c2 (patch)
tree	c89979b38164bfc7df838a15f9ee4f8e9459217d
parent	dcee027fa97f015ff3b87f0fd72b7995cdd6e155 (diff)
download	django-rest-framework-569c3a28e662ccef251acc6494047ec9c83556c2.tar.bz2