From ff35183dba1994b2ee3392824f8c537e10511df8 Mon Sep 17 00:00:00 2001
From: vishnudathks <vishnudathks5@gmail.com>
Date: Mon, 2 Mar 2026 23:49:10 +0530
Subject: [PATCH] Update B313/B314 XML warning message for Python 3.11+ -
 Clarify that XML vulnerabilities only apply to Python < 3.11 - Python 3.11+
 includes expat 2.7.1 which addresses XXE concerns - Fixes issue #1344

---
 bandit/blacklists/calls.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
index 024e873a7..ee123ec5f 100644
--- a/bandit/blacklists/calls.py
+++ b/bandit/blacklists/calls.py
@@ -545,9 +545,10 @@ def gen_blacklist():
 
     xml_msg = (
         "Using {name} to parse untrusted XML data is known to be "
-        "vulnerable to XML attacks. Replace {name} with its "
-        "defusedxml equivalent function or make sure "
-        "defusedxml.defuse_stdlib() is called"
+        "vulnerable to XML attacks on Python < 3.11. Python 3.11+ "
+        "includes expat 2.7.1 which addresses these concerns. "
+        "Check your project's minimum Python version before suppressing "
+        "this warning."
     )
 
     sets.append(