0.8.4

Commits

Fixed

• Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
  Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.7.7

Commits

Fixed

• Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
  Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.9.0-beta.3

Commits

Fixed

• fix: Stop adding tags after incomplete closing tag #445 / #416
  BREAKING CHANGE: It no longer reports an error when parsing HTML containing incomplete closing tags, to align the behavior with the one in the browser.
  BREAKING CHANGE: If your code relied on not well-formed XML to be parsed and include subsequent tags, this will no longer work.
• fix: Avoid bidirectional characters in source code #440

Other

• ci: Add CodeQL scan #444

Thank you, @ACN-kck, @mgerlach for your contributions

0.7.6

Commits

Fixed

• Avoid iterating over prototype properties #441 / #437 / #436

Thank you, @jftanner, @Supraja9726 for your contributions

0.9.0-beta.2

Commits

Fixed

• Avoid iterating over prototype properties #437 / #436

Thank you, @Supraja9726 for your contributions

0.8.3

Commits

Fixed

• Avoid iterating over prototype properties #437 / #436

Thank you, @Supraja9726 for your contributions

0.9.0-beta.1

Commits

Fixed

Only use HTML rules if mimeType matches #338, fixes #203

In the living specs for parsing XML and HTML, that this library is trying to implement,
there is a distinction between the different types of documents being parsed:
There are quite some rules that are different for parsing, constructing and serializing XML vs HTML documents.

So far xmldom was always "detecting" whether "the HTML rules should be applied" by looking at the current namespace. So from the first time an the HTML default namespace (http://www.w3.org/1999/xhtml) was found, every node was treated as being part of an HTML document. This misconception is the root cause for quite some reported bugs.

BREAKING CHANGE: HTML rules are no longer applied just because of the namespace, but require the mimeType argument passed to DOMParser.parseFromString(source, mimeType) to match 'text/html'. Doing so implies all rules for handling casing for tag and attribute names when parsing, creation of nodes and searching nodes.

BREAKING CHANGE: Correct the return type of DOMParser.parseFromString to Document | undefined. In case of parsing errors it was always possible that "the returned Document" has not been created. In case you are using Typescript you now need to handle those cases.

BREAKING CHANGE: The instance property DOMParser.options is no longer available, instead use the individual readonly property per option (assign, domHandler, errorHandler, normalizeLineEndings, locator, xmlns). Those also provides the default value if the option was not passed. The 'locator' option is now just a boolean (default remains true).

BREAKING CHANGE: The following methods no longer allow a (non spec compliant) boolean argument to toggle "HTML rules":

• XMLSerializer.serializeToString
• Node.toString
• Document.toString

The following interfaces have been implemented:
DOMImplementation now implements all methods defined in the DOM spec, but not all of the behavior is implemented (see docstring):

• createDocument creates an "XML Document" (prototype: Document, property type is 'xml')
• createHTMLDocument creates an "HTML Document" (type/prototype: Document, property type is 'html').
  • when no argument is passed or the first argument is a string, the basic nodes for an HTML structure are created, as specified
  • when the first argument is false no child nodes are created

Document now has two new readonly properties as specified in the DOM spec:

• contentType which is the mime-type that was used to create the document
• type which is either the string literal 'xml' or 'html'

MIME_TYPE (/lib/conventions.js):

• hasDefaultHTMLNamespace test if the provided string is one of the miem types that implies the default HTML namespace: text/html or application/xhtml+xml

Thank you @weiwu-zhang for your contributions

Chore

• update multiple devDependencies

0.8.2

Commits

Fixed

• fix(dom): Serialize > as specified (#395) #58

Other

• docs: Add nodeType values to public interface description #396
• test: Add executable examples for node and typescript #317
• chore: Add minimal Object.assign ponyfill #379
• docs: Refine release documentation #378
• chore: update various dev dependencies

Thank you @niklasl, @cburatto, @SheetJSDev, @pyrsmk for your contributions

0.8.1

Commits

Fixes

• Only use own properties in entityMap #374

Docs

• Add security policy #365
• changelog: Correct contributor name and link #366
• Describe release/publish steps #358, #376
• Add snyk package health badge #360

0.8.0

Commits

Fixed

• Normalize all line endings according to XML specs 1.0 and 1.1
  BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
  • #303 / #307
  • #49, #97, #324 / #314
• XMLSerializer: Preserve whitespace character references #284 / #310
  BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values.
  To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. 	, 
, 
).
• Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309
  BREAKING CHANGE: Use the one provided by the main package export.
• dom: Remove all links as part of removeChild #343 / #355

Chore

• ci: Restore latest tested node version to 16.x #325
• ci: Split test and lint steps into jobs #111 / #304
• Pinned and updated devDependencies

Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions