Comment 14 for bug 1534284

Unfortunately defusedxml is not part of global-requirements and that's not a battle i care to have. However we are also wanting to move away from lxml to remove the C dependencies that lxml bring. So alternative options would be appreciated.

For a shorter term fix, googling the issue brings up [1], suggesting we can do:

    from lxml import etree
    parser = etree.XMLParser(resolve_entities=False)

I think (i haven't looked closely) that this should be safe for SAML. Can we update bandit to check for this specifically?

[1] http://mikeknoop.com/lxml-xxe-exploit/