How to Protect Text Input from XML External Entity (XXE) Attacks using Python

2 min readJul 20, 2022

Effective XML External Entity attacks look to interfere with your application’s processing of serialized data. Without a countermeasure to check XML text strings, such attacks can infect files and wreak havoc on your system internally. Our XXE Detection API can identify such attacks in text form and alert you immediately (with a simple Boolean string) if there’s a threat, giving you time to isolate and eliminate the threat before your data parser steps on the proverbial tripwire. Below, we’ll demonstrate how you can use this API for free & structure your API call with ready-to-run Python code. In order to use this API, you’ll need a free Cloudmersive API key, which you can get by registering a free account on our website.

To start, let’s install the Python SDK by running the following command:

pip install cloudmersive-security-api-client

After that, let’s include the imports and the authorization snippet (where you’ll input your API key once obtained):

from __future__ import print_function
import time
import cloudmersive_security_api_client
from import ApiException
from pprint import pprint
# Configure API key authorization: Apikey
configuration = cloudmersive_security_api_client.Configuration()
configuration.api_key['Apikey'] = 'YOUR_API_KEY'

Finally, we can now call the function and get our results:

# create an instance of the API class
api_instance = cloudmersive_security_api_client.ContentThreatDetectionApi(cloudmersive_security_api_client.ApiClient(configuration))
value = 'value_example' # str | User-facing text input.
# Protect text input from XML External Entity (XXE) attacks
api_response = api_instance.content_threat_detection_check_xxe(value)
except ApiException as e:
print("Exception when calling ContentThreatDetectionApi->content_threat_detection_check_xxe: %s\n" % e)

It’s really that easy — no more code required. Your response will include the aforementioned boolean indicating if the XML text contained an XXE threat, and it will also provide a boolean verifying if the operation itself was successful.




There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.