nyx/tests/fixtures/xxe/python/safe_xxe.py

# Safe: tainted XML routed through defusedxml, which strips external-entity
# resolution.  Treated as a Sanitizer(XXE), so taint-xxe stays clean.
import defusedxml.ElementTree
from flask import request

def handle():
    body = request.args.get("xml")
    tree = defusedxml.ElementTree.fromstring(body)
    return tree
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`# Safe: tainted XML routed through defusedxml, which strips external-entity`
			`# resolution. Treated as a Sanitizer(XXE), so taint-xxe stays clean.`
			`import defusedxml.ElementTree`
			`from flask import request`

			`def handle():`
			`body = request.args.get("xml")`
			`tree = defusedxml.ElementTree.fromstring(body)`
			`return tree`