subset: parse OT-SVG with resolve_entities=False

to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
fonttools · Sep 15, 2023 · 9f61271 · 9f61271
1 parent 74240af
commit 9f61271
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
                 # dangling tail text after removing an element when pretty_print=True
                 remove_blank_text=True,
+                # don't replace entities; we don't expect any in OT-SVG and they may
+                # aboused for XXE attacks
+                resolve_entities=False,
             ),
         )