Changelog
### 4.6.5
```
==================
Bugs fixed
----------
* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
content through SVG images.
* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
content through CSS imports and other crafted constructs.
```
### 4.6.4
```
==================
Features added
--------------
* GH317: A new property ``system_url`` was added to DTD entities.
Patch by Thirdegree.
* GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars.
Patch by Isaac Jurado.
```
### 4.6.3
```
==================
Bugs fixed
----------
* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
which allowed JavaScript to pass through. The cleaner now removes the HTML5
``formaction`` attribute.
```
Links
- PyPI: https://pypi.org/project/lxml
- Changelog: https://pyup.io/changelogs/lxml/
- Homepage: https://lxml.de/
This PR updates lxml from 4.6.2 to 4.6.5.
Changelog
### 4.6.5 ``` ================== Bugs fixed ---------- * A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images. * A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs. ``` ### 4.6.4 ``` ================== Features added -------------- * GH317: A new property ``system_url`` was added to DTD entities. Patch by Thirdegree. * GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars. Patch by Isaac Jurado. ``` ### 4.6.3 ``` ================== Bugs fixed ---------- * A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung, which allowed JavaScript to pass through. The cleaner now removes the HTML5 ``formaction`` attribute. ```Links
- PyPI: https://pypi.org/project/lxml - Changelog: https://pyup.io/changelogs/lxml/ - Homepage: https://lxml.de/