Nokogiri v1.12.5 Release Notes

Release Date: 2021-09-27 // about 1 year ago
  • ๐Ÿ”’ Security

    ๐Ÿ”’ [JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

    0๏ธโƒฃ In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

    ๐Ÿ’Ž CRuby users are not affected by this CVE.

    ๐Ÿ›  Fixed

    • ๐Ÿ’Ž [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]