From 9b2d4d0d8d5e56965d65bec69930004d67a2caa6 Mon Sep 17 00:00:00 2001 From: Chris Hennes Date: Sun, 23 Nov 2025 12:34:18 -0600 Subject: [PATCH] Gui: Switch to defusedxml for document recovery --- src/Gui/DocumentRecovery.cpp | 13 ++++++------- src/Tools/doctools.py | 9 ++++----- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/src/Gui/DocumentRecovery.cpp b/src/Gui/DocumentRecovery.cpp index 1455db8550..845d0d29eb 100644 --- a/src/Gui/DocumentRecovery.cpp +++ b/src/Gui/DocumentRecovery.cpp @@ -71,13 +71,12 @@ namespace sp = std::placeholders; // taken from the script doctools.py std::string DocumentRecovery::doctools = "import os,sys,string\n" - "import xml.sax\n" - "import xml.sax.handler\n" - "import xml.sax.xmlreader\n" + "from defusedxml import sax as defused_sax\n" + "from xml.sax.handler import ContentHandler\n" "import zipfile\n" "\n" "# SAX handler to parse the Document.xml\n" - "class DocumentHandler(xml.sax.handler.ContentHandler):\n" + "class DocumentHandler(ContentHandler):\n" " def __init__(self, dirname):\n" " self.files = []\n" " self.dirname = dirname\n" @@ -108,7 +107,7 @@ std::string DocumentRecovery::doctools " for j in dirs:\n" " curpath=curpath+\"/\"+j\n" " os.mkdir(curpath)\n" - " output=open(outpath+\"/\"+i,\'wb\')\n" + " output=open(outpath+\"/\"+i,'wb')\n" " output.write(data)\n" " output.close()\n" "\n" @@ -118,7 +117,7 @@ std::string DocumentRecovery::doctools " guixml=os.path.join(dirname,\"GuiDocument.xml\")\n" " if os.path.exists(guixml):\n" " files.extend(getFilesList(guixml))\n" - " compress=zipfile.ZipFile(outpath,\'w\',zipfile.ZIP_DEFLATED)\n" + " compress=zipfile.ZipFile(outpath,'w',zipfile.ZIP_DEFLATED)\n" " for i in files:\n" " dirs=os.path.split(i)\n" " #print i, dirs[-1]\n" @@ -128,7 +127,7 @@ std::string DocumentRecovery::doctools "def getFilesList(filename):\n" " dirname=os.path.dirname(filename)\n" " handler=DocumentHandler(dirname)\n" - " parser=xml.sax.make_parser()\n" + " parser=defused_sax.make_parser()\n" " parser.setContentHandler(handler)\n" " parser.parse(filename)\n" "\n" diff --git a/src/Tools/doctools.py b/src/Tools/doctools.py index becb1376c7..1a24e06092 100644 --- a/src/Tools/doctools.py +++ b/src/Tools/doctools.py @@ -5,14 +5,13 @@ # FreeCAD Python script to work with the FCStd file format. import os -import xml.sax -import xml.sax.handler -import xml.sax.xmlreader +from defusedxml import sax as defused_sax +from xml.sax.handler import ContentHandler import zipfile # SAX handler to parse the Document.xml -class DocumentHandler(xml.sax.handler.ContentHandler): +class DocumentHandler(ContentHandler): def __init__(self, dirname): super().__init__() self.files = [] @@ -61,7 +60,7 @@ def createDocument(filename, outpath): def getFilesList(filename): dirname = os.path.dirname(filename) handler = DocumentHandler(dirname) - parser = xml.sax.make_parser() + parser = defused_sax.make_parser() parser.setContentHandler(handler) parser.parse(filename)