Explicitly forbid DTDs when parsing XML

[jkakavas]

Protect pysaml2 users with insecure underlying XML libraries by
explicitly forbidding DTD in incoming XML SAML messages.

Not sure if this can be reliably tested (because of dependency in
undelying xml libraries
Resolves #508

All Submissions:

• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you added an explanation of what problem you are trying to solve with this PR?
• Have you added information on what your changes do and why you chose this as your solution?
• Have you written new tests for your changes?
• Does your submission pass tests?
• This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

[c00kiemon5ter]

Hi @jkakavas ,

I do not want to have every call to .fromstring pass forbid_dtd. This is very fragile, and will need us to remember that every time we do something with .fromstring in the future. Instead, what will most probably happen, is pysaml2 will define its own xml parser, instead of using the ElementTree default parser. This will be part of #498 and as a result defusedxml package may no longer be needed.

[jkakavas]

Awesome. My search-foo failed me on this one, I'll try to keep up with the ongoing efforts in a better way. I'll go ahead and close this in favor of #498