From e99d156d62d1ff2e4d1010a114f1992b0880ace8 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 09:12:13 +0000
Subject: [PATCH] fix: resolve CodeQL alert #27 - XML external entity expansion

---
 vulnerable_xxe.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vulnerable_xxe.py b/vulnerable_xxe.py
index b9fc887..61b647c 100644
--- a/vulnerable_xxe.py
+++ b/vulnerable_xxe.py
@@ -1,6 +1,7 @@
 import xml.etree.ElementTree as ET
 from flask import Flask, request
 from lxml import etree
+import defusedxml.lxml as defused_lxml
 import xml.sax
 
 app = Flask(__name__)
@@ -17,8 +18,7 @@ def parse_xml():
 def process_xml():
     xml_content = request.data.decode()
     
-    parser = etree.XMLParser()
-    doc = etree.fromstring(xml_content.encode(), parser)
+    doc = defused_lxml.fromstring(xml_content.encode())
     
     return etree.tostring(doc).decode()