Nokogiri v1.13.5 has been released with a security update for CRuby users.
The changelog entry
<Release 1.13.5 / 2022-05-04 · sparklemotion/nokogiri · GitHub> is
reproduced here for your convenience, and interested readers are encouraged
to click through to the security advisory
<Update packaged libxml2 to 2.9.14 · Advisory · sparklemotion/nokogiri · GitHub>
for more details.
···
---
1.13.5 / 2022-05-04Security
- [CRuby] Vendored libxml2 is updated to address CVE-2022-29824
<NVD - CVE-2022-29824>. See
GHSA-cgx6-hpwq-fhv5
<Update packaged libxml2 to 2.9.14 · Advisory · sparklemotion/nokogiri · GitHub>
for
more information.
Dependencies
- [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14
<libxml2 2.9.14 · GNOME / libxml2 · GitLab>.
Improvements
- [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior
when recovering some broken markup related to start-of-tag and bare <
characters.
Changed
- [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken
markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and
incorrectly-opened comments will result in HTML text nodes starting with
<! instead of skipping the invalid tag. This behavior is a direct
result of the quadratic-behavior fix
<https://gitlab.gnome.org/GNOME/libxml2/-/commit/798bdf1> noted above.
The behavior of downstream sanitizers relying on this behavior will also
change. Some tests describing the changed behavior are in
test/html4/test_comments.rb
<nokogiri/test_comments.rb at 3ed5bf2b5a367cb9dc6e329c5a1c512e1dd4565d · sparklemotion/nokogiri · GitHub>
.