Merge pull request #352 from vasiliadi/feature/defusedxml

[security] defusedxml.ElementTree instead of xml.etree.ElementTree

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
 
 [[package]]
 name = "certifi"
@@ -220,6 +220,17 @@ files = [
 [package.extras]
 toml = ["tomli"]
 
+[[package]]
+name = "defusedxml"
+version = "0.7.1"
+description = "XML bomb protection for Python stdlib modules"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+files = [
+    {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"},
+    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
+]
+
 [[package]]
 name = "exceptiongroup"
 version = "1.2.2"
@@ -412,4 +423,4 @@ zstd = ["zstandard (>=0.18.0)"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.8,<3.14"
-content-hash = "370c5c5f94f6000e0fdb76190a3aabd5acadf804802ca70dba41787d306799b4"
+content-hash = "9688fe60ffcd776c6ed6da0a9cedf875f97aefcd72fdc817495978b68afc381b"

pyproject.toml

@@ -49,6 +49,7 @@ precommit.shell = "poe format && poe lint && poe coverage"
 [tool.poetry.dependencies]
 python = ">=3.8,<3.14"
 requests = "*"
+defusedxml = "^0.7.1"
 
 [tool.poetry.group.test]
 optional = true

youtube_transcript_api/_transcripts.py

@@ -8,7 +8,7 @@ if sys.version_info.major == 2:  # pragma: no cover
 
 import json
 
-from xml.etree import ElementTree
+from defusedxml import ElementTree
 
 import re