From the author themselves, 6 years ago:

> defusedxml.lxml is no longer needed and supported. Nowadays libxml2 has builtin limitation for entity expansion.

https://github.com/tiran/defusedxml/issues/25#issuecomment-4...

Note that this is not enabled by default, although there is an upper bound on tree size which does limit the reach of the issue.

See https://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs for more about the tuning knobs.

OK, so the defusedxml.lxml submodule is deprecated and one should use the other APIs from defusedxml instead. That does not mean that defusedxml in it's entirety would be useless.

libxml2 segfaults on me whenever I give it vaguely complicated xsl templates so I'm doubtful about how effective that handling will be.

If you’re trying to use it for lxml then yes, it was only ever experimental and has been deprecated (it also failed to define some interfaces correctly causing issues).

If you’re using it over the stdlib then no.