`xml.sax.handler.feature_external_ges` documentation fails to warn users of getting themselves into XXE territory

[hartwork]

Documentation

The current documentation on xml.sax.handler.feature_external_ges…

…fails to warn that enabling feature_external_ges will make the XML parser vulnerable to external entity attacks.

For a demo:

# Copyright (c) 2025 Sebastian Pipping <sebastian@pipping.org>
# SPDX-License-Identifier: 0BSD

from io import StringIO
from textwrap import dedent
from xml.sax.expatreader import create_parser
from xml.sax.handler import feature_external_ges

parser = create_parser()

parser.setFeature(feature_external_ges, 1)

content = dedent("""\
    <!DOCTYPE root SYSTEM "https://host.invalid/404.dtd">
    <root/>
""")

parser.parse(StringIO(content))

CC @picnixz @hannob

Linked PRs

• gh-141994: Warn of XXE vulnerability in documentation of SAX feature xml.sax.handler.feature_external_ges #141996
• [3.14] gh-141994: Warn of XXE vulnerability in documentation of SAX feature xml.sax.handler.feature_external_ges (GH-141996) #142072
• [3.13] gh-141994: Warn of XXE vulnerability in documentation of SAX feature xml.sax.handler.feature_external_ges (GH-141996) #142073

[gpshead]

thanks!