Nokogiri v1.13.6 Release Notes

Release Date: 2022-05-08 // about 2 months ago
  • ๐Ÿ”’ Security

    • ๐Ÿ”’ [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    ๐Ÿ‘Œ Improvements

    • ๐Ÿ“œ {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

Previous changes from v1.13.5

  • ๐Ÿ”’ Security

    Dependencies

    • ๐Ÿš€ [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

    ๐Ÿ‘Œ Improvements

    • ๐Ÿ“œ [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

    ๐Ÿ”„ Changed

    • โœ… [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.