Use xml.etree through defusedxml

[scop]

Description:

...for security reasons. Untested apart from tox/Travis, I don't have these devices around.

Related issue (if applicable): fixes #

Pull request in home-assistant.io with documentation (if applicable): home-assistant/home-assistant.io#<home-assistant.io PR number goes here>

Example entry for configuration.yaml (if applicable):

Checklist:

• The code change is tested and works locally.
• Local tests pass with tox. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated in home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• New dependencies have been added to the REQUIREMENTS variable (example).
• New dependencies are only imported inside functions that use them (example).
• New or updated dependencies have been added to requirements_all.txt by running script/gen_requirements_all.py.
• New files were added to .coveragerc.

If the code does not interact with devices:

• Tests have been added to verify that the new code works.

[fabaff]

Isn't defusedxml as drop-in replacement? If so, I think that we are fine.

[scop]

Yep, for ElementTree it just installs a few handlers that disable entity declarations and external entity fetches; the actual parser is still the same ElementTree. https://github.com/tiran/defusedxml/blob/master/defusedxml/ElementTree.py