cargo / quick-xml

quick-xml

cargo

High performance xml reader and writer

Audits

PE Patrick Elsen 2026-05-28

quick-xml@0.39.4

quick-xml 0.39.4 is a pull-based XML reader/writer with optional serde and tokio support. The crate uses #![forbid(unsafe_code)], has no network access, and does not resolve external entities or expand DTD-declared entities, eliminating XXE and billion-laughs risks at the library level. No findings were recorded.

filesystem-safehas-binarieshas-build-exechas-fuzz-testshas-install-exechas-integration-testshas-property-testshas-unit-testsimpl-algorithmimpl-concurrencyimpl-cryptoimpl-datastructureimpl-interpreterimpl-jitimpl-parserimpl-protocolis-benignparser-impl-correctparser-impl-safeparser-impl-testeduses-concurrencyuses-cryptouses-environmentuses-execuses-filesystemuses-interpreteruses-jituses-networkuses-unsafe