@FilipJirsak FilipJirsak released this Jul 1, 2018 · 3 commits to master since this release

Assets 5

Bug fix release.

Potential breaking changes

  • If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j.
  • Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were enabled in previous versions):
    • http://xml.org/sax/properties/external-general-entities
    • http://xml.org/sax/properties/external-parameter-entities

Fixed issues

  • #28 Possible vulnerability of DocumentHelper.parseText() to XML injection (reported by @s0m30ne)
  • #34 CVS directories left in the source tree (reported by @ebourg)
  • #38 XMLWriter does not escape supplementary unicode characters correctly (reported by @abenkovskii)
  • #39 writer.writeOpen(x) doesn't write namespaces (reported by @borissmidt)
  • #40 concurrency problem with QNameCache (@jbennett2091)
  • #43 and #46 all dependencies are optional (reported by @Zardoz89 and @vmassol)
  • #44 SAXReader: hardcoded namespace features (reported by @philippeu)
  • #48 validate QNames (reported by @mario-areias)