Nokogiri v1.12.5 Release Notes

Release Date: 2021-09-27 // 28 days ago
  • ๐Ÿ”’ Security

    ๐Ÿ”’ [JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

    0๏ธโƒฃ In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

    ๐Ÿ’Ž CRuby users are not affected by this CVE.

    ๐Ÿ›  Fixed

    • ๐Ÿ’Ž [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

Previous changes from v1.12.4

  • Notable fix: Namespace inheritance

    ๐Ÿ’Ž Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

    ๐Ÿš€ This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

    Compensating Feature in XML::Document

    ๐Ÿš€ This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

    ๐Ÿ’Ž CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

    See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

    ๐Ÿ›  Fix for XML::Builder

    ๐Ÿ— However, recognizing that we want Builder-created children to inherit namespaces, Builder now will set namespace_inheritance=true on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored.

    ๐Ÿ— Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so:

    Nokogiri::XML::Builder.new(namespace_inheritance: false)
    

    ๐Ÿ— See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage.

    Downstream gem maintainers

    Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance:

    Gem::Specification.new do |gem|
      # ...
      gem.add_runtime_dependency 'nokogiri', '!=1.12.3', '!=1.12.2', '!=1.12.1', '!=1.12.0'
      # ...
    end
    

    ๐Ÿ›  Fixed

    • ๐Ÿ“œ [JRuby] Fix NPE in Schema parsing when an imported resource doesn't have a systemId. [#2296] (Thanks, @pepijnve!)