Nokogiri version 1.8.3 has been released!
TL;DR: This is a feature and bugfix release. There's also a commit reverted
in the vendored upstream libxml2 that the Nokogiri maintainers feel
introduced unnecessary security risk involving sanitizing HTML attributes.
You're encouraged to read the release notes and the related documents if
you're curious or want to evaluate whether you should upgrade.
The release is being made from NYC, at the twelfth and final GORUCO. Much
love to the many organizers and attendees over the years that made it the
longest-running regional Ruby conference in North America.
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many
features is the ability to search documents via XPath or CSS3 selectors.
* Installation Help: http://nokogiri.org/tutorials/installing_nokogiri.html
* Tutorials: http://nokogiri.org
* GitHub: https://github.com/sparklemotion/nokogiri
* Mailing List: https://groups.google.com/group/nokogiri-talk
* Bug Reports: https://github.com/sparklemotion/nokogiri/issues
* Chat/Gitter: https://gitter.im/sparklemotion/nokogiri
# 1.8.3 / 2018-06-16
## Security Notes
[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048
(loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741
(rails-html-sanitizer gem). The commit in question is here:
and more information is available about this commit and its impact here:
This release simply reverts the libxml2 commit in question to protect users
of Nokogiri's vendored libraries from similar vulnerabilities.
If you're offended by what happened here, I'd kindly ask that you comment
on the upstream bug report here:
* [MRI] libxml2 is updated from 2.9.7 to 2.9.8
* Node#classes, #add_class, #append_class, and #remove_class are added.
* NodeSet#append_class is added.
* NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
* NodeSet#each now returns an Enumerator when no block is passed (Thanks,
* [JRuby] General improvements in JRuby implementation (Thanks, @kares!)
## Bug fixes
* CSS attribute selectors now gracefully handle queries using integers.
* Handle ASCII-8BIT encoding on fragment input [#553]
* Handle non-string return values within `Reader` [#898]
* [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666]
* [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`,
and the JRuby implementation [#1708, #1710, #1501]