test_xxe_entity_attack_blocked() — langchain Function Reference

Architecture documentation for the test_xxe_entity_attack_blocked() function in test_html_security.py from the langchain codebase.

Function python LangChainCore ApiManagement

Entity Profile

LangChainCore→ ApiManagement→ test_xxe_entity_attack_blocked() — langchain Function Reference

Dependency Diagram

graph TD
  0c4dbd4d_6e59_55d7_088c_a4dd38af6441["test_xxe_entity_attack_blocked()"]
  c36248a5_01d0_c9ad_b6b4_e15022cac62c["TestHTMLSectionSplitterSecurity"]
  0c4dbd4d_6e59_55d7_088c_a4dd38af6441 -->|defined in| c36248a5_01d0_c9ad_b6b4_e15022cac62c
  style 0c4dbd4d_6e59_55d7_088c_a4dd38af6441 fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

libs/text-splitters/tests/unit_tests/test_html_security.py lines 12–27

    def test_xxe_entity_attack_blocked(self) -> None:
        """Test that external entity attacks are blocked."""
        # Create HTML content to process
        html_content = """<html><body><p>Test content</p></body></html>"""

        # Since xslt_path parameter is removed, this attack vector is eliminated
        # The splitter should use only the default XSLT
        splitter = HTMLSectionSplitter(headers_to_split_on=[("h1", "Header 1")])

        # Process the HTML - should not contain any external entity content
        result = splitter.split_text(html_content)

        # Verify that no external entity content is present
        all_content = " ".join([doc.page_content for doc in result])
        assert "root:" not in all_content  # /etc/passwd content
        assert "XXE Attack Result" not in all_content