diff --git a/cloudpulse/api/middleware/parsable_error.py b/cloudpulse/api/middleware/parsable_error.py
index e7cf8f0..284af3c 100644
--- a/cloudpulse/api/middleware/parsable_error.py
+++ b/cloudpulse/api/middleware/parsable_error.py
@@ -18,8 +18,9 @@ response with one formatted so the client can parse it.
 Based on pecan.middleware.errordocument
 """
 
+from defusedxml import ElementTree
 import json
-from xml import etree as et
+# from xml import etree as et
 
 import webob
 
@@ -69,11 +70,11 @@ class ParsableErrorMiddleware(object):
                == 'application/xml'):
                 try:
                     # simple check xml is valid
-                    body = [et.ElementTree.tostring(
-                            et.ElementTree.fromstring('<error_message>'
-                                                      + '\n'.join(app_iter)
-                                                      + '</error_message>'))]
-                except et.ElementTree.ParseError as err:
+                    body = [ElementTree.tostring(
+                            ElementTree.fromstring('<error_message>'
+                                                   + '\n'.join(app_iter)
+                                                   + '</error_message>'))]
+                except ElementTree.ParseError as err:
                     LOG.error(_LE('Error parsing HTTP response: %s'), err)
                     body = ['<error_message>%s' % state['status_code']
                             + '</error_message>']
diff --git a/requirements.txt b/requirements.txt
index df65d37..e22d2bc 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -20,3 +20,4 @@ python-glanceclient>=0.15.0,<0.18.0
 python-neutronclient>=2.4.0,<2.5.0
 python-novaclient>=2.22.0,<2.24.0
 WSME>=0.6,<0.7
+defusedxml>=0.4.1