Changelog
### 4.7.1
```
==================
Features added
--------------
* Chunked Unicode string parsing via ``parser.feed()`` now encodes the input data
to the native UTF-8 encoding directly, instead of going through ``Py_UNICODE`` /
``wchar_t`` encoding first, which previously required duplicate recoding in most cases.
Bugs fixed
----------
* The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
See https://mail.python.org/archives/list/lxmlpython.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
* ``lxml.objectify`` previously accepted non-XML numbers with underscores (like "1_000")
as integers or float values in Python 3.6 and later. It now adheres to the number
format of the XML spec again.
* LP1939031: Static wheels of lxml now contain the header files of zlib and libiconv
(in addition to the already provided headers of libxml2/libxslt/libexslt).
Other changes
-------------
* Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
```
### 4.7.0
```
==================
* Release retracted due to missing files in lxml/includes/.
```
### 4.6.5
```
==================
Bugs fixed
----------
* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
content through SVG images.
* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
content through CSS imports and other crafted constructs.
```
### 4.6.4
```
==================
Features added
--------------
* GH317: A new property ``system_url`` was added to DTD entities.
Patch by Thirdegree.
* GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars.
Patch by Isaac Jurado.
```
### 4.6.3
```
==================
Bugs fixed
----------
* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
which allowed JavaScript to pass through. The cleaner now removes the HTML5
``formaction`` attribute.
```
Links
- PyPI: https://pypi.org/project/lxml
- Changelog: https://pyup.io/changelogs/lxml/
- Homepage: https://lxml.de/
This PR updates lxml from 4.6.2 to 4.7.1.
Changelog
### 4.7.1 ``` ================== Features added -------------- * Chunked Unicode string parsing via ``parser.feed()`` now encodes the input data to the native UTF-8 encoding directly, instead of going through ``Py_UNICODE`` / ``wchar_t`` encoding first, which previously required duplicate recoding in most cases. Bugs fixed ---------- * The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3. See https://mail.python.org/archives/list/lxmlpython.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/ * ``lxml.objectify`` previously accepted non-XML numbers with underscores (like "1_000") as integers or float values in Python 3.6 and later. It now adheres to the number format of the XML spec again. * LP1939031: Static wheels of lxml now contain the header files of zlib and libiconv (in addition to the already provided headers of libxml2/libxslt/libexslt). Other changes ------------- * Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows). ``` ### 4.7.0 ``` ================== * Release retracted due to missing files in lxml/includes/. ``` ### 4.6.5 ``` ================== Bugs fixed ---------- * A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images. * A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs. ``` ### 4.6.4 ``` ================== Features added -------------- * GH317: A new property ``system_url`` was added to DTD entities. Patch by Thirdegree. * GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars. Patch by Isaac Jurado. ``` ### 4.6.3 ``` ================== Bugs fixed ---------- * A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung, which allowed JavaScript to pass through. The cleaner now removes the HTML5 ``formaction`` attribute. ```Links
- PyPI: https://pypi.org/project/lxml - Changelog: https://pyup.io/changelogs/lxml/ - Homepage: https://lxml.de/