set XMLParser(resolve_entities=False), it's safer and we don't need t…

…o resolve external entities anyway

src/picosvg/svg.py

@@ -1430,7 +1430,13 @@ def fromstring(cls, string):
             string = string.replace("xlink:href", _XLINK_TEMP)
 
         # encode because fromstring dislikes xml encoding decl if input is str
-        parser = etree.XMLParser(remove_comments=True, remove_blank_text=True)
+        parser = etree.XMLParser(
+            remove_comments=True,
+            remove_blank_text=True,
+            # external entities may load local files (e.g. /etc/passwd), so disable
+            # safe entities like > are still allowed
+            resolve_entities=False,
+        )
         tree = etree.fromstring(string.encode("utf-8"), parser)
         tree = _fix_xlink_ns(tree)
         return cls(tree)