Fixes deeplook#229 - External entity loading disabled by default

claudep · Mar 7, 2020 · 0c03e46 · 0c03e46
1 parent d730b2b
commit 0c03e46
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -10,6 +10,7 @@ Unreleased
 - fixed references to <defs> content when placed middle or end of
   SVG documents (#225)
 - fixed elliptic arcs reading when arc flags are condensed (#232)
+- disabled external entity loading by default (#229)
 
 0.9.3 (2019-11-02)
 ------------------

diff --git a/svglib/svglib.py b/svglib/svglib.py
@@ -1395,7 +1395,7 @@ def applyStyleOnShape(self, shape, node, only_explicit=False):
             shape.fillColor.alpha = shape.fillOpacity
 
 
-def svg2rlg(path, **kwargs):
+def svg2rlg(path, resolve_entities=False, **kwargs):
     "Convert an SVG file to an RLG Drawing object."
 
     # unzip .svgz file into .svg
@@ -1406,7 +1406,7 @@ def svg2rlg(path, **kwargs):
         path = path[:-1]
         unzipped = True
 
-    svg_root = load_svg_file(path)
+    svg_root = load_svg_file(path, resolve_entities=resolve_entities)
     if svg_root is None:
         return
 
@@ -1421,8 +1421,10 @@ def svg2rlg(path, **kwargs):
     return drawing
 
 
-def load_svg_file(path):
-    parser = etree.XMLParser(remove_comments=True, recover=True)
+def load_svg_file(path, resolve_entities=False):
+    parser = etree.XMLParser(
+        remove_comments=True, recover=True, resolve_entities=resolve_entities
+    )
     try:
         doc = etree.parse(path, parser=parser)
         svg_root = doc.getroot()