gh-127502: Update XML vulnerability table

[vstinner]

Python 3.11-3.15 include expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.

• Issue: Reconsider XML Security warnings / obsolete vulnerabilities #127502

---

📚 Documentation preview 📚: https://cpython-previews--135294.org.readthedocs.build/

[encukou]

Do you think the table should be kept, now that it says Safe almost everywhere?

[vstinner]

Do you think the table should be kept, now that it says Safe almost everywhere?

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

The question is more if we need to keep the big red warning at the top:

The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the XML vulnerabilities and The defusedxml Package sections.

Maybe this warning can just be removed.

Since Python XML modules are now safe by default, we can maybe remove references to the defusedxml project which is no longer needed.

Note: The latest defused version (0.7.0) was released in 2021. There is a 0.8.0rc2 version around since September 2023 with no final release. The project seems to be unmaintained (latest commit: 2 years ago).

[vstinner]

I updated my PR to remove the red warning and remove references to defusedxml.

[hannob]

There are similar warnings in several other files, e.g.:

Doc/library/xml.etree.elementtree.rst
Doc/library/xml.dom.pulldom.rst
Doc/library/xml.dom.minidom.rst
Doc/library/xml.sax.rst

[vstinner]

There are similar warnings in several other files

Good catch. I replaced most warnings with notes. I replaced also "XML Vulnerabilities" with "XML Security".

I kept the warnings for XML-RPC client and server since the XML table still says that XML-RPC is vulnerable to decompression bomb.