Satisfy the needs of defusedxml.defuse_stdlib() whilst still retaining functionality and passing tests

src/jinjaturtle/core.py

@@ -103,9 +103,7 @@ def parse_config(path: Path, fmt: str | None = None) -> tuple[str, Any]:
 
     if fmt == "xml":
         text = path.read_text(encoding="utf-8")
-        # defusedxml.defuse_stdlib() is called in CLI entrypoint
-        parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False)) # nosec
-        root = ET.fromstring(text, parser=parser) # nosec
+        root = ET.fromstring(text) # nosec B314
         return fmt, root
 
     raise ValueError(f"Unsupported config format: {fmt}")
@@ -870,8 +868,9 @@ def _generate_xml_template_from_text(role_prefix: str, text: str) -> str:
 
     # Parse with comments included so <!-- --> are preserved
     # defusedxml.defuse_stdlib() is called in CLI entrypoint
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True)) # nosec
-    root = ET.fromstring(body, parser=parser) # nosec
+    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True))  # nosec B314
+    parser.feed(body)
+    root = parser.close()
 
     _apply_jinja_to_xml_tree(role_prefix, root)
 

tests/test_core.py

@@ -566,8 +566,7 @@ def test_generate_template_xml_structural_fallback():
         </root>
         """
     )
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
-    root = ET.fromstring(xml_text, parser=parser)
+    root = ET.fromstring(xml_text)
 
     tmpl = generate_template("xml", parsed=root, role_prefix="role")
 
@@ -643,8 +642,7 @@ def test_flatten_xml_text_with_attributes_uses_value_suffix():
     the text at path + ('value',), not just path.
     """
     xml_text = "<root><node attr='x'>text</node></root>"
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
-    root = ET.fromstring(xml_text, parser=parser)
+    root = ET.fromstring(xml_text)
 
     items = flatten_config("xml", root)