How to Protect Text from XXE Attacks in Python

XML External Entity (XXE) attacks can exploit vulnerabilities within Document Type Definitions (DTD) in XML parsers to replace entities and cause a denial of service, or utilize Server Side Request Forgery (SSRF) to gain access to sensitive data. In this brief tutorial, we will demonstrate how to use an API in Python to detect XXE attacks from text input, including options to allow or block internet URLs for DTDs, as well as provide a list of known safe or unsafe URLs.

Let’s start the process by running this command to install the Python SDK:

pip install cloudmersive-validate-api-client

Next, we will call the validation function with the following code:

from __future__ import print_function
import time
import cloudmersive_validate_api_client
from cloudmersive_validate_api_client.rest import ApiException
from pprint import pprint
# Configure API key authorization: Apikey
configuration = cloudmersive_validate_api_client.Configuration()
configuration.api_key['Apikey'] = 'YOUR_API_KEY'
# create an instance of the API class
api_instance = cloudmersive_validate_api_client.TextInputApi(cloudmersive_validate_api_client.ApiClient(configuration))
value = 'value_example' # str | User-facing text input.
allow_internet_urls = true # bool | Optional: Set to true to allow Internet-based dependency URLs for DTDs and other XML External Entitites, set to false to block. Default is false. (optional)
known_safe_urls = 'known_safe_urls_example' # str | Optional: Comma separated list of fully-qualified URLs that will automatically be considered safe. (optional)
known_unsafe_urls = 'known_unsafe_urls_example' # str | Optional: Comma separated list of fully-qualified URLs that will automatically be considered unsafe. (optional)
try:
# Protect text input from XML External Entity (XXE) attacks
api_response = api_instance.text_input_check_xxe(value, allow_internet_urls=allow_internet_urls, known_safe_urls=known_safe_urls, known_unsafe_urls=known_unsafe_urls)
pprint(api_response)
except ApiException as e:
print("Exception when calling TextInputApi->text_input_check_xxe: %s\n" % e)

With this simple code, you can protect your system from XXE attacks going forward.

There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.