lxml module status

[c00kiemon5ter]

The defusedxml.lxml module states that it is an example. What would make this module better?

I see some things around the lxml parser that seem to be in question, like whether the remove_comments option should be enabled by default, or whether comments should be blacklisted. Do you have an opinion on those, especially in relation to the latest saml vulnerability by duo?

[tiran]

The defusedxml.lxml module was never designed as production code. As you said it's merely an example and proof of concept. I have neither interest, motivation, nor resources to deal with lxml. There I have deprecated the module in the upcoming 0.6 release and plan to remove it in 0.7.

Any security issue should be fixed in lxml instead.