Skip to content

gh-90949: Recommend hasattr with Expat security methods #139800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

gh-90949: Recommend hasattr with Expat security methods #139800

wants to merge 6 commits into from
+43 −8

Conversation

hartwork
Copy link
Contributor

@hartwork hartwork commented Oct 8, 2025
edited
Loading

@hartwork
Doc/library/pyexpat.rst: Recommend "hasattr" with Expat security methods
834a7e0 
This mimics existing method SetReparseDeferralEnabled.
@hartwork
Doc/library/pyexpat.rst: Use ".. note::" with SetReparseDeferralEnabled
828f786 
.. to make it consistent with the other four Expat security methods.
@bedevere-app bedevere-app bot added docs Documentation in the Doc dir skip news labels Oct 8, 2025
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Oct 8, 2025
@bedevere-app bedevere-app bot mentioned this pull request Oct 8, 2025
Open
@hartwork hartwork changed the title gh-90949: Recommend "hasattr" with Expat security methods gh-90949: Recommend hasattr with Expat security methods Oct 8, 2025
@hartwork
Doc/library/xml.etree.elementtree.rst: Use ".. note::" for backport n…
c932512 
…otes

.. to make it consistent with Doc/library/pyexpat.rst.
StanFromIreland
StanFromIreland reviewed Oct 8, 2025
View reviewed changes
StanFromIreland
StanFromIreland reviewed Oct 8, 2025
View reviewed changes
picnixz
picnixz reviewed Oct 9, 2025
View reviewed changes
@hartwork hartwork requested a review from picnixz October 9, 2025 13:36
@picnixz
Copy link
Member

picnixz commented Oct 9, 2025

I think I'm fine with this addition. However, because we talk about "backported" interface, we shouldn't push this until it's effectively backported (at least once). I'm actually unsure about the expanded docs. For instance:

image

I feel that the "note" boxes are way too intrusive... I think it's more important to have the note about the surprising values rather than the note on the availability (the versionadded should be enough). OTOH, if you ever add more protections, we'll have a huge block of notes, almost always the same. Here's what I can suggest: a simple .. seealso:: which refers to a section about "Availability testing" which indicates that some features are included in micro versions instead of .0 versions. That would reduce the vertical span of the page and be more readable for users in general. WDYT?

@hartwork
Copy link
Contributor Author

hartwork commented Oct 9, 2025

I think I'm fine with this addition. However, because we talk about "backported" interface, we shouldn't push this until it's effectively backported (at least once).

@picnixz I'm reading that as merging at least one of the unmerged backports of #139234 first — sure.

I feel that the "note" boxes are way too intrusive...

It's got a bit less loud in the meantime when adding the ! earlier — less bold and blue now:

note

I think it's more important to have the note about the surprising values rather than the note on the availability (the versionadded should be enough).

So there is a threshold where above a note gets its own box and below a box takes too much attention, makes sense.

OTOH, if you ever add more protections, we'll have a huge block of notes, almost always the same.

It would be multiple smaller blocks, not one huge block though. It's a bit less scary than that.

Btw I have no plans of adding more, new API like that will only appear if there is no way around it.

Here's what I can suggest: a simple .. seealso:: which refers to a section about "Availability testing" which indicates that some features are included in micro versions instead of .0 versions. That would reduce the vertical span of the page and be more readable for users in general. WDYT?

Personally I think that see also requires an additional click and additional energy and that alone will many users stop from ever noticing. (I also believe readability is not in danger currently.) Let me demo what we get when taking the .. note:: markers out and turning these notes back to text. Someone reading the whole method description will get the memo then, and it will not be as loud. Push coming up in a minute or two…

@hartwork
Copy link
Contributor Author

hartwork commented Oct 9, 2025

@picnixz pushed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanFromIreland StanFromIreland Awaiting requested review from StanFromIreland

@picnixz picnixz Awaiting requested review from picnixz

Assignees

No one assigned

Labels

awaiting review docs Documentation in the Doc dir skip news

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hartwork @picnixz @StanFromIreland