lxml
★
★
★
★
★
3
reviews
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
100
Security
44
Quality
51
Maintenance
69
Overall
v6.0.2
PyPI
Python
Sep 22, 2025
by lxml dev team
No Known Issues
This package has a good security score with no known vulnerabilities.
2993
GitHub Stars
4.7/5
Avg Rating
Community Reviews
CAUTION
Powerful XML library with critical security considerations for untrusted input
lxml is the go-to library when you need serious XML/XSLT processing in Python. The libxml2 backend makes it significantly faster than pure-Python alternatives, and the ElementTree-compatible API feels natural. I've used it extensively for parsing complex XML schemas, SOAP integrations, and document transformations where performance matters.
The security story requires careful attention. XML External Entity (XXE) attacks are a constant concern—you must explicitly configure XMLParser with resolve_entities=False and no_network=True when handling untrusted input. The defaults have improved over time, but it's not fully secure-by-default. Error messages can leak filesystem paths during parsing failures, which I've had to sanitize in production logs. The C extension dependency means you're trusting the libxml2/libxslt supply chain, and building from source requires development headers.
Documentation is comprehensive with good security sections, but the onus is on developers to read and apply them. Input validation helpers like defusedxml integration would be welcome. For trusted internal XML processing, it's excellent. For user-facing parsers, you need defensive configuration and thorough testing.
The security story requires careful attention. XML External Entity (XXE) attacks are a constant concern—you must explicitly configure XMLParser with resolve_entities=False and no_network=True when handling untrusted input. The defaults have improved over time, but it's not fully secure-by-default. Error messages can leak filesystem paths during parsing failures, which I've had to sanitize in production logs. The C extension dependency means you're trusting the libxml2/libxslt supply chain, and building from source requires development headers.
Documentation is comprehensive with good security sections, but the onus is on developers to read and apply them. Input validation helpers like defusedxml integration would be welcome. For trusted internal XML processing, it's excellent. For user-facing parsers, you need defensive configuration and thorough testing.
Explicit security configuration options like resolve_entities, no_network flags available on parser instantiation
Comprehensive XPath and XSLT support with predictable libxml2 behavior across platforms
Detailed error reporting with line numbers and context for debugging malformed XML
Strong Unicode and encoding handling with automatic charset detection
Not secure-by-default for untrusted input—XXE protection requires explicit parser configuration
C extension dependency complicates deployment and adds supply chain surface area
Error messages can leak filesystem paths and internal structure details without sanitization
Best for: High-performance XML processing in trusted environments or when you need full XSLT/XPath capabilities with careful security hardening.
Avoid if: You're parsing untrusted XML without deep understanding of XXE mitigations, or need pure-Python portability without compilation requirements.
RECOMMENDED
Powerful XML/HTML processing with excellent API design and solid docs
lxml has been my go-to for XML and HTML processing for years, and it consistently delivers. The ElementTree API is intuitive and Pythonic, making simple tasks straightforward while XPath and XSLT support handles complex scenarios beautifully. Performance is outstanding compared to pure Python alternatives, which matters when processing large documents or doing bulk operations.
The documentation is comprehensive with practical examples that you can actually copy and adapt. The tutorial walks you through common patterns step-by-step, and the API reference is detailed without being overwhelming. Error messages are generally helpful, though encoding issues can sometimes produce cryptic libxml2 errors that require digging.
Debugging is straightforward thanks to clean stack traces and the ability to pretty-print XML at any point. The cssselect integration for HTML parsing is a killer feature that makes web scraping much more pleasant than dealing with raw XPath. Community support is solid - most common issues have Stack Overflow answers, and the mailing list archives are searchable when you hit edge cases.
The documentation is comprehensive with practical examples that you can actually copy and adapt. The tutorial walks you through common patterns step-by-step, and the API reference is detailed without being overwhelming. Error messages are generally helpful, though encoding issues can sometimes produce cryptic libxml2 errors that require digging.
Debugging is straightforward thanks to clean stack traces and the ability to pretty-print XML at any point. The cssselect integration for HTML parsing is a killer feature that makes web scraping much more pleasant than dealing with raw XPath. Community support is solid - most common issues have Stack Overflow answers, and the mailing list archives are searchable when you hit edge cases.
XPath and CSS selector support makes finding elements incredibly intuitive and powerful
Tutorial with progressive examples covers 90% of real-world use cases effectively
Excellent performance for parsing and transforming large XML/HTML documents
Clean ElementTree API that's easy to learn if you know basic Python data structures
Installation can fail on systems without libxml2/libxslt development headers pre-installed
Encoding errors sometimes bubble up as low-level libxml2 messages that are hard to interpret
Best for: Projects requiring robust XML/HTML parsing, web scraping, or XSLT transformations with good performance.
Avoid if: You need pure Python with zero compiled dependencies or only process simple JSON-like XML structures.
RECOMMENDED
Rock-solid XML processing with excellent XPath support and clear APIs
lxml has been my go-to for XML processing across multiple production projects. The library beautifully combines the ElementTree API that most Python developers know with the raw power of libxml2. XPath and XSLT support is exceptional - complex queries that would be painful with pure ElementTree become straightforward. The `etree.tostring()` and parsing methods handle encoding gracefully, and namespace handling actually makes sense once you understand the `nsmap` parameter.
Error messages are generally helpful, pointing to line numbers in malformed XML and providing context. The documentation is comprehensive with a tutorial that covers 80% of common use cases. I particularly appreciate the detailed examples for XPath expressions and CSS selectors via `cssselect`. Debugging is straightforward since you can inspect the tree structure intuitively.
The main learning curve is installation-related (C dependencies) and understanding when to use lxml vs standard library xml.etree. Performance is excellent even with large documents. Stack Overflow has extensive coverage of common issues, and the official docs answer most questions before you need to search elsewhere.
Error messages are generally helpful, pointing to line numbers in malformed XML and providing context. The documentation is comprehensive with a tutorial that covers 80% of common use cases. I particularly appreciate the detailed examples for XPath expressions and CSS selectors via `cssselect`. Debugging is straightforward since you can inspect the tree structure intuitively.
The main learning curve is installation-related (C dependencies) and understanding when to use lxml vs standard library xml.etree. Performance is excellent even with large documents. Stack Overflow has extensive coverage of common issues, and the official docs answer most questions before you need to search elsewhere.
XPath 1.0 support is complete and fast, with clear syntax for namespace handling
Comprehensive tutorial with real-world examples covering parsing, validation, and transformation
Error messages include line numbers and context for malformed XML
CSS selector support via cssselect integration simplifies web scraping workflows
Requires C compilation which can complicate deployment in constrained environments
Memory usage can be high for very large documents without iterparse streaming approach
Best for: Projects requiring robust XML/HTML parsing, XPath queries, XSLT transformations, or processing large XML documents with good performance.
Avoid if: You need pure Python with zero C dependencies or only have trivial XML parsing needs covered by stdlib.
Write a Review
Sign in to write a review
Sign In
Used By
htmldate
57
python-pptx
50
blobfile
50
cmsis-svd
51
python3-saml
47
unstructured
50
pikepdf
64
Scrapy
64
unittest-xml-reporting
56
signxml
54
sacrebleu
64
lxml-html-clean
54
xmlsec
54
boostedblob
42
trafilatura
54
gcovr
59
jusText
56
duckduckgo-search
58
redshift-connector
65
zeep
60
and 7 more