Welcome, guest | Sign In | My Account | Store | Cart

Notice! PyPM is being replaced with the ActiveState Platform, which enhances PyPM’s build and deploy capabilities. Create your free Platform account to download ActivePython or customize Python with the packages you require and get automatic updates.

pypm install defusedexpat

How to install defusedexpat

  1. Download and install ActivePython
  2. Open Command Prompt
  3. Type pypm install defusedexpat
 Python 2.7Python 3.2Python 3.3
Windows (32-bit)
Windows (64-bit)
Mac OS X (10.5+)
0.4 Available View build log
Linux (32-bit)
0.4 Available View build log
Linux (64-bit)
0.4 Available View build log
0.4 Available View build log
Lastest release
version 0.4 on Feb 28th, 2013

defusedexpat protects the XML packages of Python's standard library from several denial of service vulnerabilities and external entity exploits. It contains

  • a modified and enhanced version of expat parser library
  • replacements for pyexpat and cElementTree's _elementtree extension modules
  • loader code that replaces built-in extensions with the modified extensions
  • monkey patches for xml.sax and xml.dom to prevent external entity expansions

In order to protect your application you have to import the defusedxml module before any of the stdlib's XML modules.


  • limited entity expansion level to antagonize billion laugh attacks
  • limited total length of expansions to prevent quadratic blowups
  • monkey patch to prevent retrieval of external entities and DTDs


Modifications in pyexpat
Parser object

New parser attributes (r/w)

  • max_entity_indirections
  • max_entity_expansions
  • reset_dtd
Module constants
Modules functions
  • get_reset_dtd(), set_reset_dtd(bool)
  • get_max_entity_expansions(), set_max_entity_expansions(int)
  • get_max_entity_indirections(), et_max_entity_indirections(int)
New CAPI members
  • capi.GetFeature
  • capi.SetFeature
  • capi.GetFeatureDefault
  • capi.SetFeatureDefault
Modifications in _elementtree

New arguments and r/o attributes

  • max_entity_indirections
  • max_entity_expansions
  • ignore_dtd
Modifications in expat

new definitions:


new XML_FeatureEnum members:


new XML_Error members:


new API functions:

int XML_GetFeature(XML_Parser parser,
                   enum XML_FeatureEnum feature,
                   long *value);
int XML_SetFeature(XML_Parser parser,
                   enum XML_FeatureEnum feature,
                   long value);
int XML_GetFeatureDefault(enum XML_FeatureEnum feature,
                          long *value);
int XML_SetFeatureDefault(enum XML_FeatureEnum feature,
                          long value);

Limit the amount of indirections that are allowed to occur during the expansion of a nested entity. A counter starts when an entity reference is encountered. It resets after the entity is fully expanded. The limit protects the parser against exponential entity expansion attacks (aka billion laughs attack). When the limit is exceeded the parser stops and fails with XML_ERROR_ENTITY_INDIRECTIONS. A value of 0 disables the protection.

Supported range

Limit the total length of all entity expansions throughout the entire document. The lengths of all entities are accumulated in a parser variable. The setting protects against quadratic blowup attacks (lots of expansions of a large entity declaration). When the sum of all entities exceeds the limit, the parser stops and fails with XML_ERROR_ENTITY_EXPANSION. A value of 0 disables the protection.

Supported range
8 MiB

Reset all DTD information after the <!DOCTYPE> block has been parsed. When the flag is set (default: false) all DTD information after the endDoctypeDeclHandler has been called. The flag can be set inside the endDoctypeDeclHandler. Without DTD information any entity reference in the document body leads to XML_ERROR_UNDEFINED_ENTITY.

Supported range
0, 1


  • Python 2.6.6 or newer (2.6.8 or newer for randomized hashing)
  • Python 2.7 (2.7.3 or newer for randomized hashing and Windows binaries)
  • Python 3.1 (3.1.5 or newer for randomized hashing and Windows binaries)
  • Python 3.2 (3.2.3 or newer for randomized hashing and Windows binaries)
  • Python 3.3.0 or newer

Windows binaries are compatible to 2.6.6, 2.7.3, 3.1.5, 3.2.3 or 3.3.0 or newer micro releases. They don't work on older versions.


Copyright (c) 2013 by Christian Heimes <christian@python.org>

Licensed to PSF under a Contributor Agreement.

See http://www.python.org/psf/license for licensing details.


Antoine Pitrou
code review
Brett Cannon
code review


defusedexpat 0.4

Release date: 25-Feb-2013

  • Make code source compatible to Python versions without hash randomization.
  • Include latest version of expat patch
defusedexpat 0.3

Release date: 19-Feb-2013

  • Disable some tests on Windows because proxy trick doesn't work
  • Remove 'bomb protection' suffix from CAPI MAGIC
  • Don't support additional kwargs in _elementtree when XML_BOMB_PROTECTION is not available.
  • Implement better and more flexibel get/set feature API in expat
  • Add module functions to set global settings
defusedexpat 0.2

Release date: 15-Feb-2013

  • Python 3.1 support
  • Misc fixes and improvements
defusedexpat 0.1

Release date: 11-Feb-2013

  • Initial and internal release for PSRT review

Subscribe to package updates

Last updated Feb 28th, 2013

Download Stats

Last month:1

What does the lock icon mean?

Builds marked with a lock icon are only available via PyPM to users with a current ActivePython Business Edition subscription.

Need custom builds or support?

ActivePython Enterprise Edition guarantees priority access to technical support, indemnification, expert consulting and quality-assured language builds.

Plan on re-distributing ActivePython?

Get re-distribution rights and eliminate legal risks with ActivePython OEM Edition.