nyx/tests/fixtures/xxe/python/safe_lxml.py

# Safe: lxml.etree.parse is XXE-safe by default in modern lxml — external
# entities are not resolved unless `XMLParser(resolve_entities=True)` is
# passed in.  No XXE rule should fire here.
import lxml.etree
from flask import request


def handle():
    body = request.args.get("xml")
    return lxml.etree.parse(body)
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`# Safe: lxml.etree.parse is XXE-safe by default in modern lxml — external`
			# entities are not resolved unless `XMLParser(resolve_entities=True)` is
			`# passed in. No XXE rule should fire here.`
			`import lxml.etree`
			`from flask import request`


			`def handle():`
			`body = request.args.get("xml")`
			`return lxml.etree.parse(body)`