From e239ce326755e476521e35d7cbb680d1358b5883 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Mon, 1 Dec 2025 11:48:43 +0100
Subject: 🔒️ fix bandit warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/utils_secretary.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'ishtar_common/utils_secretary.py')

diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py
index 0ce4732d4..77a2cbc9b 100644
--- a/ishtar_common/utils_secretary.py
+++ b/ishtar_common/utils_secretary.py
@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 import re
 from secretary import Renderer
-from lxml import etree
-from xml.dom.minidom import parseString
+# source files is from admin user this should be safe
+from lxml import etree  # nosec
+from xml.dom.minidom import parseString  # nosec
 from xml.parsers.expat import ExpatError, ErrorString
 from PIL import Image
 
@@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer):
             result = jinja_template.render(**kwargs)
 
             # try to fix xml with mismatched tags
-            parser = etree.XMLParser(recover=True)
-            recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser)
-
-            final_xml = parseString(etree.tostring(recovered_xml))
+            # source files is from admin user this should be safe
+            parser = etree.XMLParser(recover=True)  # nosec
+            recovered_xml = etree.fromstring(
+                result.encode("ascii", "xmlcharrefreplace"),
+                parser)
+
+            # source files is from admin user this should be safe
+            final_xml = parseString(  # nosec
+                etree.tostring(recovered_xml)
+            )
 
             if self.template_images:
                 self.replace_images(final_xml)
-- 
cgit v1.2.3