Don’t allow fetching external files unless explicitly asked for

cairosvg/__main__.py

@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
         help='replace every raster pixel with its complementary color')
     parser.add_argument(
         '-u', '--unsafe', action='store_true',
-        help='resolve XML entities and allow very large files '
-             '(WARNING: vulnerable to XXE attacks and various DoS)')
+        help='fetch external files, resolve XML entities and allow very large '
+             'files (WARNING: vulnerable to XXE attacks and various DoS)')
     parser.add_argument(
         '--output-width', default=None, type=float,
         help='desired output width in pixels')

cairosvg/parser.py

@@ -390,6 +390,12 @@ def __init__(self, **kwargs):
             tree = ElementTree.fromstring(
                 bytestring, forbid_entities=not unsafe,
                 forbid_external=not unsafe)
+
+        # Don’t allow fetching external files unless explicitly asked for
+        if 'url_fetcher' not in kwargs and not unsafe:
+            self.url_fetcher = (
+                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
+
         self.xml_tree = tree
         root = cssselect2.ElementWrapper.from_xml_root(tree)
         style = parent.style if parent else css.parse_stylesheets(self, url)

cairosvg/surface.py

@@ -113,7 +113,8 @@ def convert(cls, bytestring=None, *, file_obj=None, url=None, dpi=96,
         :param parent_width: The width of the parent container in pixels.
         :param parent_height: The height of the parent container in pixels.
         :param scale: The ouptut scaling factor.
-        :param unsafe: A boolean allowing XML entities and very large files
+        :param unsafe: A boolean allowing external file access, XML entities
+                       and very large files
                        (WARNING: vulnerable to XXE attacks and various DoS).
 
         Specifiy the output with: