@bodewig bodewig released this Apr 22, 2018 · 101 commits to master since this release

Assets 32

This release fixes a few bugs and introduces a new experimental feature. In particular XMLUnit will now configure all XML parsing code in a way that prevents XML eXternal Entity injections (XXE) by default - the only exceptions are the validation package and the legacy module.

The full list of changes is:

  • add a new experimental project xmlunit-placeholders which aims to
    use ${xmlunit.FOO} expressions inside of the control document to
    allow for a DSL-like approach of defining more complex tests.
    This initial seed only supports ${xmlunit.ignore} which can be
    used to make XMLUnit ignore the element containing this text.
    PR #105 by
    @zheng-wang.

  • added withDocumentBuilderFactory methods to HasXPathMatcher and
    EvaluateXPathMatcher to allow explicit configuration of the
    DocumentBuilderFactory used.
    Issue #108.

  • the DocmentBuilderFactory and TransformerFactory instances used
    by XMLUnit are now configured to not load any external DTDs or parse
    external entities. They are now configured according to the OWASP
    recommendations for XML eXternal Entity injection
    preventions
    . The
    TransformerFactory used by the
    org.xmlunit.transform.Transformation class is still configured to
    load external stylesheets, though.

    For the legacy package XXE prevention has to be enabled via
    XMLUnit.enableXXEProtection explicitly.

    This is a breaking change and you may need to provide
    DocmentBuilderFactory or TransformerFactory instances of your
    own if you need to load external entities.

    The SAXParserFactory and SchemaFactory instances used inside of
    the validation package have not been changed as their use is
    likely to require loading of external DTDs or schemas.

    Issue #91.

  • the configured NodeFilter is now applied before comparing
    DocumentType nodes.

    This change breaks backwards compatibility as the old behavior was
    to ignore DocumentType when counting the children of the
    Document node but not when actually comparing the
    DocumentType. Prior to this change if one document had a document
    type declaration but the other didn't, a HAS_DOCTYPE_DECLARATION
    difference was detected, this will no longer be the case now. If you
    want to detect this difference, you need to use a more lenient
    NodeFilter than NodeFilters.Default
    (i.e. NodeFilters.AcceptAll) but then you will see an additional
    CHILD_NODELIST_LENGTH difference.

    The legacy package has been adapted and will behave as before even
    when using NewDifferenceEngine.

    Issue #116.

  • added a new Source implementation
    ElementContentWhitespaceStrippedSource which is similar to
    WhitespaceStrippedSource but only affects text nodes that solely
    consist of whitespace and doesn't affect any other text nodes. Also
    added convenience ignoreElementContentWhitespace methods to
    DiffBuilder and CompareMatcher.
    Issue #119.