[ANN] nokogiri 1.8.3 released

Nokogiri version 1.8.3 has been released!

TL;DR: This is a feature and bugfix release. There's also a commit reverted
in the vendored upstream libxml2 that the Nokogiri maintainers feel
introduced unnecessary security risk involving sanitizing HTML attributes.
You're encouraged to read the release notes and the related documents if
you're curious or want to evaluate whether you should upgrade.

The release is being made from NYC, at the twelfth and final GORUCO. Much
love to the many organizers and attendees over the years that made it the
longest-running regional Ruby conference in North America. :heart: :heart: :heart:

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many
features is the ability to search documents via XPath or CSS3 selectors.

* http://nokogiri.org
* Installation Help: http://nokogiri.org/tutorials/installing_nokogiri.html
* Tutorials: http://nokogiri.org
* GitHub: https://github.com/sparklemotion/nokogiri
* Mailing List: https://groups.google.com/group/nokogiri-talk
* Bug Reports: https://github.com/sparklemotion/nokogiri/issues
* Chat/Gitter: https://gitter.im/sparklemotion/nokogiri

# 1.8.3 / 2018-06-16

## Security Notes

[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048
(loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741
(rails-html-sanitizer gem). The commit in question is here:

https://github.com/GNOME/libxml2/commit/960f0e2

and more information is available about this commit and its impact here:

https://github.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect users
of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment
on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

## Dependencies

* [MRI] libxml2 is updated from 2.9.7 to 2.9.8

## Features

* Node#classes, #add_class, #append_class, and #remove_class are added.
* NodeSet#append_class is added.
* NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
* NodeSet#each now returns an Enumerator when no block is passed (Thanks,
@park53kr!)
* [JRuby] General improvements in JRuby implementation (Thanks, @kares!)

## Bug fixes

* CSS attribute selectors now gracefully handle queries using integers.
[#711]
* Handle ASCII-8BIT encoding on fragment input [#553]
* Handle non-string return values within `Reader` [#898]
* [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666]
* [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`,
and the JRuby implementation [#1708, #1710, #1501]

:heart:

Phone. Brevity. Typos.

···

On Sat, Jun 16, 2018, 4:15 PM Mike Dalessio <mike.dalessio@gmail.com> wrote:

Nokogiri version 1.8.3 has been released!

TL;DR: This is a feature and bugfix release. There's also a commit
reverted in the vendored upstream libxml2 that the Nokogiri maintainers
feel introduced unnecessary security risk involving sanitizing HTML
attributes. You're encouraged to read the release notes and the related
documents if you're curious or want to evaluate whether you should upgrade.

The release is being made from NYC, at the twelfth and final GORUCO. Much
love to the many organizers and attendees over the years that made it the
longest-running regional Ruby conference in North America. :heart: :heart: :heart:

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's
many features is the ability to search documents via XPath or CSS3
selectors.

* http://nokogiri.org
* Installation Help:
http://nokogiri.org/tutorials/installing_nokogiri.html
* Tutorials: http://nokogiri.org
* GitHub: https://github.com/sparklemotion/nokogiri
* Mailing List: https://groups.google.com/group/nokogiri-talk
* Bug Reports: https://github.com/sparklemotion/nokogiri/issues
* Chat/Gitter: https://gitter.im/sparklemotion/nokogiri

# 1.8.3 / 2018-06-16

## Security Notes

[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048
(loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741
(rails-html-sanitizer gem). The commit in question is here:

> https://github.com/GNOME/libxml2/commit/960f0e2

and more information is available about this commit and its impact here:

> https://github.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment
on the upstream bug report here:

> https://bugzilla.gnome.org/show_bug.cgi?id=769760

## Dependencies

* [MRI] libxml2 is updated from 2.9.7 to 2.9.8

## Features

* Node#classes, #add_class, #append_class, and #remove_class are added.
* NodeSet#append_class is added.
* NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
* NodeSet#each now returns an Enumerator when no block is passed (Thanks,
@park53kr!)
* [JRuby] General improvements in JRuby implementation (Thanks, @kares!)

## Bug fixes

* CSS attribute selectors now gracefully handle queries using integers.
[#711]
* Handle ASCII-8BIT encoding on fragment input [#553]
* Handle non-string return values within `Reader` [#898]
* [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666]
* [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`,
and the JRuby implementation [#1708, #1710, #1501]

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>