No longer using defusedxml since it is not necessary.

README.rst

@@ -46,6 +46,7 @@ Installation
 
 Note that the latest version to support Python 2.7, 3.3, 3.4 and 3.5 is Zeep 3.4, install via `pip install zeep==3.4.0`
 
+Zeep uses the lxml library for parsing xml. See https://lxml.de/installation.html for the installation requirements.
 
 Usage
 -----

setup.py

@@ -6,9 +6,8 @@
     "appdirs>=1.4.0",
     "attrs>=17.2.0",
     "cached-property>=1.3.0",
-    "defusedxml>=0.4.1",
     "isodate>=0.5.4",
-    "lxml>=3.1.0",
+    "lxml>=4.6.0",
     "requests>=2.7.0",
     "requests-toolbelt>=0.7.1",
     "requests-file>=1.5.1",

src/zeep/exceptions.py

@@ -91,3 +91,26 @@ class IncompleteMessage(Error):
 
 class IncompleteOperation(Error):
     pass
+
+
+class DTDForbidden(Error):
+    def __init__(self, name, sysid, pubid):
+        super(DTDForbidden, self).__init__()
+        self.name = name
+        self.sysid = sysid
+        self.pubid = pubid
+
+    def __str__(self):
+        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
+        return tpl.format(self.name, self.sysid, self.pubid)
+
+
+class EntitiesForbidden(Error):
+    def __init__(self, name, content):
+        super(EntitiesForbidden, self).__init__()
+        self.name = name
+        self.content = content
+
+    def __str__(self):
+        tpl = "EntitiesForbidden(name='{}', content={!r})"
+        return tpl.format(self.name, self.content)

src/zeep/loader.py

@@ -2,14 +2,15 @@
 import typing
 from urllib.parse import urljoin, urlparse, urlunparse
 
-from defusedxml.lxml import fromstring
+from exceptions import DTDForbidden, EntitiesForbidden
 from lxml import etree
+from lxml.etree import fromstring, XMLParser, XMLSyntaxError, Resolver
 
 from zeep.exceptions import XMLSyntaxError
 from zeep.settings import Settings
 
 
-class ImportResolver(etree.Resolver):
+class ImportResolver(Resolver):
     """Custom lxml resolve to use the transport object"""
 
     def __init__(self, transport):
@@ -39,21 +40,28 @@ def parse_xml(content: str, transport, base_url=None, settings=None):
     """
     settings = settings or Settings()
     recover = not settings.strict
-    parser = etree.XMLParser(
+    parser = XMLParser(
         remove_comments=True,
         resolve_entities=False,
         recover=recover,
         huge_tree=settings.xml_huge_tree,
     )
     parser.resolvers.add(ImportResolver(transport))
     try:
-        return fromstring(
-            content,
-            parser=parser,
-            base_url=base_url,
-            forbid_dtd=settings.forbid_dtd,
-            forbid_entities=settings.forbid_entities,
-        )
+        elementtree = fromstring(content, parser=parser,base_url=base_url)
+        docinfo = elementtree.getroottree().docinfo
+        if docinfo.doctype:
+            if settings.forbid_dtd:
+                raise DTDForbidden(docinfo.doctype, docinfo.system_url, docinfo.public_id)
+        if settings.forbid_entities:
+            for dtd in docinfo.internalDTD, docinfo.externalDTD:
+                if dtd is None:
+                    continue
+                for entity in dtd.iterentities():
+                    raise EntitiesForbidden(entity.name, entity.content)
+
+
+        return elementtree
     except etree.XMLSyntaxError as exc:
         raise XMLSyntaxError(
             "Invalid XML content received (%s)" % exc.msg, content=content

src/zeep/wsdl/messages/mime.py

@@ -5,8 +5,8 @@
 """
 from urllib.parse import urlencode
 
-from defusedxml.lxml import fromstring
 from lxml import etree
+from lxml.etree import fromstring
 
 from zeep import ns, xsd
 from zeep.helpers import serialize_object

tests/test_loader.py

@@ -1,5 +1,5 @@
 import pytest
-from defusedxml import DTDForbidden, EntitiesForbidden
+from exceptions import DTDForbidden, EntitiesForbidden
 from pytest import raises as assert_raises
 
 from tests.utils import DummyTransport

tests/test_wsdl.py

@@ -3,7 +3,7 @@
 
 import pytest
 import requests_mock
-from defusedxml import DTDForbidden, EntitiesForbidden
+from exceptions import DTDForbidden, EntitiesForbidden
 from lxml import etree
 from pretend import stub