Skip to content

Commit

Permalink
update CHANGELOG
Browse files Browse the repository at this point in the history
  • Loading branch information
flavorjones committed Sep 27, 2021
1 parent 6b60637 commit 2a0ac88
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,22 @@

Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [README.md](README.md) for details.

## 1.12.next / unreleased

### Security

[JRuby] Address CVE-2021-41098 ([GHSA-2rr5-8q37-2w7h](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h)).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.


### Fixed

* [CRuby] `Document#to_xhtml` properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., `<br></br>`) instead of a self-closing tag (e.g., `<br/>`) in previous Nokogiri versions. [[#2324](https://github.com/sparklemotion/nokogiri/issues/2324)]


## 1.12.4 / 2021-08-29

### Notable fix: Namespace inheritance
Expand Down

0 comments on commit 2a0ac88

Please sign in to comment.