defusedxml.lxml is deprecated

[sergei-maertens]

So we should not rely on that.

Instead, we can borrow the workaround/correct way of handling this from https://foss.heptapod.net/openpyxl/openpyxl/-/commit/ecb4a33fad1057c529873a6aa852c751265b975d and mvantellingen/python-zeep#1179

(open-forms) ➜  open-forms git:(feature/296-co-sign-formio-component) m check
/home/bbt/code/open-forms/src/openforms/prefill/contrib/stufbg/plugin.py:8: DeprecationWarning: defusedxml.lxml is no longer supported and will be removed in a future release.
  from defusedxml.lxml import fromstring as df_fromstring

[sergei-maertens]

This is also used in the digid-eherkenning package it seems

[sergei-maertens]

Open Forms itself no longer uses it, but django-digid-eherkenning still does:

➜  django-digid-eherkenning git:(master) grep 'defusedxml' -r digid_eherkenning/
digid_eherkenning/saml2/eherkenning.py:from defusedxml.lxml import tostring
digid_eherkenning/utils.py:from defusedxml.lxml import parse

[sergei-maertens]

The final usage seems to be in python3-saml:

~/code/python3-saml/src/onelogin/saml2/artifact_response.py:
    1  from base64 import b64encode
    2: from defusedxml.lxml import tostring
    3  from onelogin.saml2.constants import OneLogin_Saml2_Constants
    4  from onelogin.saml2.utils import (OneLogin_Saml2_Utils,

~/code/python3-saml/src/onelogin/saml2/response.py:
   11  
   12  from copy import deepcopy
   13: from defusedxml.lxml import tostring
   14  
   15  from onelogin.saml2.constants import OneLogin_Saml2_Constants

~/code/python3-saml/src/onelogin/saml2/xmlparser.py:
    1  # -*- coding: utf-8 -*-
    2  
    3: # Based on the lxml example from defusedxml
    4: # DTDForbidden, EntitiesForbidden, NotSupportedError are clones of the classes defined at defusedxml
    5  #
    6  # Copyright (c) 2013 by Christian Heimes <christian@python.org>

Upstream does not appear to use this (anymore), so it's a matter of updating our fork.

[sergei-maertens]

It appears to be present in django-camunda too