[ANN] Nokogiri security update v1.13.5

5 views
Skip to first unread message

Mike Dalessio

unread,
May 4, 2022, 4:51:46 PM5/4/22
to ruby-sec...@googlegroups.com, ruby-talk, nokogiri-talk
Nokogiri v1.13.5 has been released with a security update for CRuby users.

The changelog entry is reproduced here for your convenience, and interested readers are encouraged to click through to the security advisory for more details.

---

1.13.5 / 2022-05-04

Security

Dependencies

  • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

  • [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

Changed

  • [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.
Reply all
Reply to author
Forward
0 new messages