From 912016b7565abcc1860d5e02c8cd38af7c6bd361 Mon Sep 17 00:00:00 2001
From: lifegpc <g1710431395@gmail.com>
Date: Wed, 27 Jan 2021 10:22:17 +0800
Subject: [PATCH] try use defusedxml first to avoid some attack.

---
 requirements.txt |  1 +
 rssparser.py     | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 65d7ffc..f2dcb5d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1,2 @@
 requests>=2.25.1
+defusedxml>=0.6.0; python_version < '3.9'
diff --git a/rssparser.py b/rssparser.py
index 6fd0312..0edff0c 100644
--- a/rssparser.py
+++ b/rssparser.py
@@ -14,6 +14,13 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from xml.dom import minidom
+defusedxmlSupported = True
+try:
+    from defusedxml.minidom import parse, parseString
+except:
+    parse = minidom.parse
+    parseString = minidom.parseString
+    defusedxmlSupported = False
 from html.parser import HTMLParser
 from html import escape, unescape
 import sys
@@ -351,9 +358,9 @@ class RSSParser:
                 re = requests.get(fn)
                 re.encoding = 'utf8'
                 if re.status_code == 200:
-                    self.xmldoc = minidom.parseString(re.text)
+                    self.xmldoc = parseString(re.text)
             else:
-                self.xmldoc = minidom.parse(fn)
+                self.xmldoc = parse(fn)
             self.normalize()
             return True
         except: