# XML External Entity (XXE) Injection

- ID: python-xxe
- Severity: HIGH
- CWE: XXE (CWE-611)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects XML parsing with external entity processing enabled. XXE attacks
allow attackers to read local files, perform SSRF, or cause denial of service.
Always disable external entity processing when parsing untrusted XML.

## Remediation

Use defusedxml instead of standard XML parsers for untrusted input.

```python
import defusedxml.ElementTree as ET
from flask import request, jsonify

@app.route('/api/xml', methods=['POST'])
def parse_xml():
    try:
        root = ET.fromstring(request.data)
        return jsonify({'name': root.find('name').text})
    except ET.ParseError:
        return jsonify({'error': 'Invalid XML'}), 400
```

Learn more: https://shoulder.dev/learn/python/cwe-611/xxe

## Documentation

[object Object]

## Related Rules

- **XML External Entity (XXE) Injection** [HIGH]: 
- **XML External Entity (XXE) Injection** [HIGH]: