All SVG parsing uses stdlib xml.etree.ElementTree (postprocess.py, report.py, verify? , smooth.py). Inputs are currently always our own freshly-generated tracer SVG (no external XML), so XXE/billion-laughs risk is low — but if svgsmith ever ingests user-provided SVG, switch the whole codebase to defusedxml.ElementTree for parsing. Low priority hardening; do it codebase-wide for consistency, not per-module.
All SVG parsing uses stdlib xml.etree.ElementTree (postprocess.py, report.py, verify? , smooth.py). Inputs are currently always our own freshly-generated tracer SVG (no external XML), so XXE/billion-laughs risk is low — but if svgsmith ever ingests user-provided SVG, switch the whole codebase to defusedxml.ElementTree for parsing. Low priority hardening; do it codebase-wide for consistency, not per-module.