nokogiri 1.10.9 → 1.11.0.rc4

data/lib/nokogiri/xml/node/save_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class Node

data/lib/nokogiri/xml/node_set.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     ####

data/lib/nokogiri/xml/notation.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class Notation < Struct.new(:name, :public_id, :system_id)

data/lib/nokogiri/xml/parse_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     ###
@@ -5,11 +6,11 @@ module Nokogiri
     #
     # == Building combinations of parse options
     # You can build your own combinations of these parse options by using any of the following methods:
-    # *Note*: All examples attempt to set the +RECOVER+ & +NOENT+ options. All examples use Ruby 2 optional parameter syntax.
+    # *Note*: All examples attempt to set the +RECOVER+ & +NOENT+ options.
     # [Ruby's bitwise operators] You can use the Ruby bitwise operators to set various combinations.
-    #   Nokogiri.XML('<content>Chapter 1</content', options: Nokogiri::XML::ParseOptions.new((1 << 0) | (1 << 1)))
+    #   Nokogiri.XML('<content>Chapter 1</content', nil, nil, Nokogiri::XML::ParseOptions.new((1 << 0) | (1 << 1)))
     # [Method chaining] Every option has an equivalent method in lowercase. You can chain these methods together to set various combinations.
-    #   Nokogiri.XML('<content>Chapter 1</content', options: Nokogiri::XML::ParseOptions.new.recover.noent)
+    #   Nokogiri.XML('<content>Chapter 1</content', nil, nil, Nokogiri::XML::ParseOptions.new.recover.noent)
     # [Using Ruby Blocks] You can also setup parse combinations in the block passed to Nokogiri.XML or Nokogiri.HTML
     #   Nokogiri.XML('<content>Chapter 1</content') {|config| config.recover.noent}
     #
@@ -72,6 +73,8 @@ module Nokogiri
       DEFAULT_XML  = RECOVER | NONET
       # the default options used for parsing HTML documents
       DEFAULT_HTML = RECOVER | NOERROR | NOWARNING | NONET
+      # the default options used for parsing XML schemas
+      DEFAULT_SCHEMA = NONET
 
       attr_accessor :options
       def initialize options = STRICT
@@ -106,6 +109,10 @@ module Nokogiri
         @options & RECOVER == STRICT
       end
 
+      def ==(other)
+        other.to_i == to_i
+      end
+
       alias :to_i :options
 
       def inspect

data/lib/nokogiri/xml/pp.rb

@@ -1,2 +1,3 @@
+# frozen_string_literal: true
 require 'nokogiri/xml/pp/node'
 require 'nokogiri/xml/pp/character_data'

data/lib/nokogiri/xml/pp/character_data.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     module PP

data/lib/nokogiri/xml/pp/node.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     module PP

data/lib/nokogiri/xml/processing_instruction.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class ProcessingInstruction < Node

data/lib/nokogiri/xml/reader.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     ###
@@ -87,9 +88,12 @@ module Nokogiri
       ###
       # Get a list of attributes for the current node.
       def attributes
-        Hash[attribute_nodes.map { |node|
-          [node.name, node.to_s]
-        }].merge(namespaces || {})
+        attrs_hash = attribute_nodes.each_with_object({}) do |node, hash|
+                       hash[node.name] = node.to_s
+                     end
+        ns = namespaces
+        attrs_hash.merge!(ns) if ns
+        attrs_hash
       end
 
       ###

data/lib/nokogiri/xml/relax_ng.rb

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class << self
       ###
       # Create a new Nokogiri::XML::RelaxNG document from +string_or_io+.
       # See Nokogiri::XML::RelaxNG for an example.
-      def RelaxNG string_or_io
-        RelaxNG.new(string_or_io)
+      def RelaxNG(string_or_io, options = ParseOptions::DEFAULT_SCHEMA)
+        RelaxNG.new(string_or_io, options)
       end
     end
 
@@ -26,6 +27,10 @@ module Nokogiri
     #   end
     #
     # The list of errors are Nokogiri::XML::SyntaxError objects.
+    #
+    # NOTE: RelaxNG input is always treated as TRUSTED documents, meaning that they will cause the
+    # underlying parsing libraries to access network resources. This is counter to Nokogiri's
+    # "untrusted by default" security policy, but is a limitation of the underlying libraries.
     class RelaxNG < Nokogiri::XML::Schema
     end
   end

data/lib/nokogiri/xml/sax.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'nokogiri/xml/sax/document'
 require 'nokogiri/xml/sax/parser_context'
 require 'nokogiri/xml/sax/parser'

data/lib/nokogiri/xml/sax/document.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     ###

data/lib/nokogiri/xml/sax/parser.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     module SAX

data/lib/nokogiri/xml/sax/parser_context.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     module SAX

data/lib/nokogiri/xml/sax/push_parser.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     module SAX

data/lib/nokogiri/xml/schema.rb

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class << self
       ###
       # Create a new Nokogiri::XML::Schema object using a +string_or_io+
       # object.
-      def Schema string_or_io
-        Schema.new(string_or_io)
+      def Schema(string_or_io, options = ParseOptions::DEFAULT_SCHEMA)
+        Schema.new(string_or_io, options)
       end
     end
 
@@ -26,15 +27,23 @@ module Nokogiri
     #   end
     #
     # The list of errors are Nokogiri::XML::SyntaxError objects.
+    #
+    # NOTE: As of v1.11.0, Schema treats inputs as UNTRUSTED by default, and so external entities
+    # are not resolved from the network (`http://` or `ftp://`). Previously, parsing treated
+    # documents as "trusted" by default which was counter to Nokogiri's "untrusted by default"
+    # security policy. If a document is trusted, then the caller may turn off the NONET option via
+    # the ParseOptions to re-enable external entity resolution over a network connection.
     class Schema
       # Errors while parsing the schema file
       attr_accessor :errors
+      # The Nokogiri::XML::ParseOptions used to parse the schema
+      attr_accessor :parse_options
 
       ###
       # Create a new Nokogiri::XML::Schema object using a +string_or_io+
       # object.
-      def self.new string_or_io
-        from_document Nokogiri::XML(string_or_io)
+      def self.new string_or_io, options = ParseOptions::DEFAULT_SCHEMA
+        from_document(Nokogiri::XML(string_or_io), options)
       end
 
       ###

data/lib/nokogiri/xml/searchable.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     #
@@ -11,7 +12,9 @@ module Nokogiri
       # Regular expression used by Searchable#search to determine if a query
       # string is CSS or XPath
       LOOKS_LIKE_XPATH = /^(\.\/|\/|\.\.|\.$)/
-      
+
+      # @!group Searching via XPath or CSS Queries
+
       ###
       # call-seq: search *paths, [namespace-bindings, xpath-variable-bindings, custom-handler-class]
       #
@@ -45,7 +48,7 @@ module Nokogiri
       #   )
       #
       # See Searchable#xpath and Searchable#css for further usage help.
-      def search *args
+      def search(*args)
         paths, handler, ns, binds = extract_params(args)
 
         xpaths = paths.map(&:to_s).map do |path|
@@ -54,6 +57,7 @@ module Nokogiri
 
         xpath(*(xpaths + [ns, handler, binds].compact))
       end
+
       alias :/ :search
 
       ###
@@ -63,9 +67,10 @@ module Nokogiri
       # result. +paths+ must be one or more XPath or CSS queries.
       #
       # See Searchable#search for more information.
-      def at *args
+      def at(*args)
         search(*args).first
       end
+
       alias :% :at
 
       ###
@@ -101,7 +106,7 @@ module Nokogiri
       # found in an XML document, where tags names are case-sensitive
       # (e.g., "H1" is distinct from "h1").
       #
-      def css *args
+      def css(*args)
         rules, handler, ns, _ = extract_params(args)
 
         css_internal self, rules, handler, ns
@@ -114,7 +119,7 @@ module Nokogiri
       # match. +rules+ must be one or more CSS selectors.
       #
       # See Searchable#css for more information.
-      def at_css *args
+      def at_css(*args)
         css(*args).first
       end
 
@@ -148,7 +153,7 @@ module Nokogiri
       #     end
       #   }.new)
       #
-      def xpath *args
+      def xpath(*args)
         paths, handler, ns, binds = extract_params(args)
 
         xpath_internal self, paths, handler, ns, binds
@@ -161,17 +166,19 @@ module Nokogiri
       # match. +paths+ must be one or more XPath queries.
       #
       # See Searchable#xpath for more information.
-      def at_xpath *args
+      def at_xpath(*args)
         xpath(*args).first
       end
 
+      # @!endgroup
+
       private
 
-      def css_internal node, rules, handler, ns
+      def css_internal(node, rules, handler, ns)
         xpath_internal node, css_rules_to_xpath(rules, ns), handler, ns, nil
       end
 
-      def xpath_internal node, paths, handler, ns, binds
+      def xpath_internal(node, paths, handler, ns, binds)
         document = node.document
         return NodeSet.new(document) unless document
 
@@ -186,12 +193,12 @@ module Nokogiri
         end
       end
 
-      def xpath_impl node, path, handler, ns, binds
+      def xpath_impl(node, path, handler, ns, binds)
         ctx = XPathContext.new(node)
         ctx.register_namespaces(ns)
-        path = path.gsub(/xmlns:/, ' :') unless Nokogiri.uses_libxml?
+        path = path.gsub(/xmlns:/, " :") unless Nokogiri.uses_libxml?
 
-        binds.each do |key,value|
+        binds.each do |key, value|
           ctx.register_variable key.to_s, value
         end if binds
 
@@ -202,13 +209,15 @@ module Nokogiri
         rules.map { |rule| xpath_query_from_css_rule(rule, ns) }
       end
 
-      def xpath_query_from_css_rule rule, ns
+      def xpath_query_from_css_rule(rule, ns)
+        visitor = Nokogiri::CSS::XPathVisitorOptimallyUseBuiltins.new
         self.class::IMPLIED_XPATH_CONTEXTS.map do |implied_xpath_context|
-          CSS.xpath_for(rule.to_s, :prefix => implied_xpath_context, :ns => ns)
-        end.join(' | ')
+          CSS.xpath_for(rule.to_s, {:prefix => implied_xpath_context, :ns => ns,
+                                    :visitor => visitor})
+        end.join(" | ")
       end
 
-      def extract_params params # :nodoc:
+      def extract_params(params) # :nodoc:
         handler = params.find do |param|
           ![Hash, String, Symbol].include?(param.class)
         end

data/lib/nokogiri/xml/syntax_error.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     ###

data/lib/nokogiri/xml/text.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class Text < Nokogiri::XML::CharacterData

data/lib/nokogiri/xml/xpath.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'nokogiri/xml/xpath/syntax_error'
 
 module Nokogiri

data/lib/nokogiri/xml/xpath/syntax_error.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class XPath

data/lib/nokogiri/xml/xpath_context.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XML
     class XPathContext

data/lib/nokogiri/xslt.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'nokogiri/xslt/stylesheet'
 
 module Nokogiri

data/lib/nokogiri/xslt/stylesheet.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Nokogiri
   module XSLT
     ###

data/lib/xsd/xmlparser/nokogiri.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'nokogiri'
 
 module XSD # :nodoc:

data/patches/libxml2/0006-htmlParseComment-treat-as-if-it-closed-the-comment.patch

@@ -0,0 +1,73 @@
+From 4f51a6d2b1755ce5b36c524c215aad70d864ac1d Mon Sep 17 00:00:00 2001
+From: Mike Dalessio <mike.dalessio@gmail.com>
+Date: Mon, 3 Aug 2020 17:36:05 -0400
+Subject: [PATCH 1/2] htmlParseComment: treat `--!>` as if it closed the
+ comment
+
+See guidance provided on incorrectly-closed comments here:
+
+https://html.spec.whatwg.org/multipage/parsing.html#parse-error-incorrectly-closed-comment
+---
+ HTMLparser.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 7b6d689..4d43479 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3300,6 +3300,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+     int q, ql;
+     int r, rl;
+     int cur, l;
++    int next, nl;
+     xmlParserInputState state;
+ 
+     /*
+@@ -3332,6 +3333,21 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+     while (IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
++	NEXTL(l);
++	next = CUR_CHAR(nl);
++	if (next == 0) {
++	    SHRINK;
++	    GROW;
++	    next = CUR_CHAR(nl);
++	}
++
++	if ((q == '-') && (r == '-') && (cur == '!') && (next == '>')) {
++	  htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++		       "Comment incorrectly closed by '--!>'", NULL, NULL);
++	  cur = '>';
++	  break;
++	}
++
+ 	if (len + 5 >= size) {
+ 	    xmlChar *tmp;
+ 
+@@ -3345,18 +3361,14 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	    }
+ 	    buf = tmp;
+ 	}
+-	COPY_BUF(ql,buf,len,q);
++        COPY_BUF(ql,buf,len,q);
++
+ 	q = r;
+ 	ql = rl;
+ 	r = cur;
+ 	rl = l;
+-	NEXTL(l);
+-	cur = CUR_CHAR(l);
+-	if (cur == 0) {
+-	    SHRINK;
+-	    GROW;
+-	    cur = CUR_CHAR(l);
+-	}
++	cur = next;
++	l = nl;
+     }
+     buf[len] = 0;
+     if (IS_CHAR(cur)) {
+-- 
+2.25.1
+

data/patches/libxml2/0007-use-new-htmlParseLookupCommentEnd-to-find-comment-en.patch

@@ -0,0 +1,103 @@
+From b20d746fa7cbb74716171bc49d836af99927e41e Mon Sep 17 00:00:00 2001
+From: Mike Dalessio <mike.dalessio@gmail.com>
+Date: Sun, 11 Oct 2020 14:15:37 -0400
+Subject: [PATCH 2/2] use new htmlParseLookupCommentEnd to find comment ends
+
+Note that the caret in error messages generated during comment parsing
+may have moved by one byte.
+
+See guidance provided on incorrectly-closed comments here:
+
+https://html.spec.whatwg.org/multipage/parsing.html#parse-error-incorrectly-closed-comment
+---
+ HTMLparser.c | 46 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 4d43479..000dc3d 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5331,6 +5331,39 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
+     return (-1);
+ }
+ 
++/**
++ * htmlParseLookupCommentEnd:
++ * @ctxt: an HTML parser context
++ *
++ * Try to find a comment end tag in the input stream
++ * The search includes "-->" as well as WHATWG-recommended incorrectly-closed tags.
++ * (See https://html.spec.whatwg.org/multipage/parsing.html#parse-error-incorrectly-closed-comment)
++ * This function has a side effect of (possibly) incrementing ctxt->checkIndex
++ * to avoid rescanning sequences of bytes, it DOES change the state of the
++ * parser, do not use liberally.
++ * This wraps to htmlParseLookupSequence()
++ *
++ * Returns the index to the current parsing point if the full sequence is available, -1 otherwise.
++ */
++static int
++htmlParseLookupCommentEnd(htmlParserCtxtPtr ctxt)
++{
++    int mark = 0;
++    int cur = CUR_PTR - BASE_PTR;
++
++    while (mark >= 0) {
++	mark = htmlParseLookupSequence(ctxt, '-', '-', 0, 1, 1);
++	if ((mark < 0) ||
++	    (NXT(mark+2) == '>') ||
++	    ((NXT(mark+2) == '!') && (NXT(mark+3) == '>'))) {
++	    return mark;
++	}
++	ctxt->checkIndex = cur + mark + 1;
++    }
++    return mark;
++}
++
++
+ /**
+  * htmlParseTryOrFinish:
+  * @ctxt:  an HTML parser context
+@@ -5507,8 +5540,7 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 		cur = in->cur[0];
+ 	        if ((cur == '<') && (next == '!') &&
+ 		    (in->cur[2] == '-') && (in->cur[3] == '-')) {
+-		    if ((!terminate) &&
+-		        (htmlParseLookupSequence(ctxt, '-', '-', '>', 1, 1) < 0))
++		    if ((!terminate) && (htmlParseLookupCommentEnd(ctxt) < 0))
+ 			goto done;
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+@@ -5567,8 +5599,7 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 		next = in->cur[1];
+ 		if ((cur == '<') && (next == '!') &&
+ 		    (in->cur[2] == '-') && (in->cur[3] == '-')) {
+-		    if ((!terminate) &&
+-		        (htmlParseLookupSequence(ctxt, '-', '-', '>', 1, 1) < 0))
++		    if ((!terminate) && (htmlParseLookupCommentEnd(ctxt) < 0))
+ 			goto done;
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+@@ -5614,8 +5645,7 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 		next = in->cur[1];
+ 	        if ((cur == '<') && (next == '!') &&
+ 		    (in->cur[2] == '-') && (in->cur[3] == '-')) {
+-		    if ((!terminate) &&
+-		        (htmlParseLookupSequence(ctxt, '-', '-', '>', 1, 1) < 0))
++		    if ((!terminate) && (htmlParseLookupCommentEnd(ctxt) < 0))
+ 			goto done;
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+@@ -5871,9 +5901,7 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 			htmlParseDocTypeDecl(ctxt);
+ 		    } else if ((cur == '<') && (next == '!') &&
+ 			(in->cur[2] == '-') && (in->cur[3] == '-')) {
+-			if ((!terminate) &&
+-			    (htmlParseLookupSequence(
+-				ctxt, '-', '-', '>', 1, 1) < 0))
++			if ((!terminate) && (htmlParseLookupCommentEnd(ctxt) < 0))
+ 			    goto done;
+ #ifdef DEBUG_PUSH
+ 			xmlGenericError(xmlGenericErrorContext,
+-- 
+2.25.1
+