diff -Naur pysaml2/setup.py pysaml2.new/setup.py --- pysaml2/setup.py 2015-12-06 00:46:33.000000000 -0600 +++ pysaml2.new/setup.py 2017-01-10 20:31:43.387413477 -0600 @@ -17,6 +17,7 @@ 'pytz', 'pyOpenSSL', 'python-dateutil', + 'defusedxml', 'six' ] diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py --- pysaml2/src/saml2/__init__.py 2016-01-07 05:53:57.000000000 -0600 +++ pysaml2.new/src/saml2/__init__.py 2017-01-10 20:34:04.171641116 -0600 @@ -35,6 +35,7 @@ import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +import defusedxml.ElementTree root_logger = logging.getLogger(__name__) root_logger.level = logging.NOTSET @@ -86,7 +87,7 @@ """ if not isinstance(xml_string, six.binary_type): xml_string = xml_string.encode('utf-8') - tree = ElementTree.fromstring(xml_string) + tree = defusedxml.ElementTree.fromstring(xml_string) return create_class_from_element_tree(target_class, tree) @@ -268,7 +269,7 @@ def extension_element_from_string(xml_string): - element_tree = ElementTree.fromstring(xml_string) + element_tree = defusedxml.ElementTree.fromstring(xml_string) return _extension_element_from_element_tree(element_tree) diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py --- pysaml2/src/saml2/pack.py 2015-12-11 07:31:39.000000000 -0600 +++ pysaml2.new/src/saml2/pack.py 2017-01-10 20:35:35.382435020 -0600 @@ -37,6 +37,7 @@ import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +import defusedxml.ElementTree NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" FORM_SPEC = """