Skip to content

Update lxml to 4.7.0 #231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pyup-bot wants to merge 1 commit into from
Closed

Update lxml to 4.7.0 #231

pyup-bot wants to merge 1 commit into from

Conversation

@pyup-bot
Copy link
Contributor

@pyup-bot pyup-bot commented Dec 13, 2021

This PR updates lxml from 4.6.2 to 4.7.0.

Changelog

4.7.0

==================

Features added
--------------

* Chunked Unicode string parsing via ``parser.feed()`` now encodes the input data
to the native UTF-8 encoding directly, instead of going through ``Py_UNICODE`` /
``wchar_t`` encoding first, which previously required duplicate recoding in most cases.

Bugs fixed
----------

* The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
See https://mail.python.org/archives/list/lxmlpython.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/

* ``lxml.objectify`` previously accepted non-XML numbers with underscores (like "1_000")
as integers or float values in Python 3.6 and later. It now adheres to the number
format of the XML spec again.

* LP1939031: Static wheels of lxml now contain the header files of zlib and libiconv
(in addition to the already provided headers of libxml2/libxslt/libexslt).

Other changes
-------------

* Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).

4.6.5

==================

Bugs fixed
----------

* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
content through SVG images.

* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
content through CSS imports and other crafted constructs.

4.6.4

==================

Features added
--------------

* GH317: A new property ``system_url`` was added to DTD entities.
Patch by Thirdegree.

* GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars.
Patch by Isaac Jurado.

4.6.3

==================

Bugs fixed
----------

* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
which allowed JavaScript to pass through.  The cleaner now removes the HTML5
``formaction`` attribute.
Links

@pyup-bot pyup-bot mentioned this pull request Dec 13, 2021
Closed
@codecov
Copy link

codecov bot commented Dec 13, 2021

Codecov Report

Merging #231 (62ee256) into master (a2f0d23) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #231   +/-   ##
=======================================
  Coverage   98.06%   98.06%           
=======================================
  Files          27       27           
  Lines        1293     1293           
=======================================
  Hits         1268     1268           
  Misses         25       25

@pyup-bot
Copy link
Contributor Author

pyup-bot commented Feb 17, 2022

Closing this in favor of #240

@pyup-bot pyup-bot closed this Feb 17, 2022
@jraddaoui jraddaoui deleted the pyup-update-lxml-4.6.2-to-4.7.0 branch February 17, 2022 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyup-bot