Changes for version 0.07 - 2026-07-16

  • Security
    • Fixed XSS: HTML::Entities::decode is now suppressed when keep_hrefs => 1. Without this fix, encoded payloads like <script> were decoded to raw tags that bypassed re-escaping and appeared in the output.
    • Fixed ReDoS: possessive quantifier (++) now used in the bare-& substitution regex, preventing O(n^2) backtracking on adversarial inputs.
    • Removed /e eval flag from _sub_map (hash lookup needs no eval semantics).
    • Removed /e eval flag from keep_hrefs substitution; uses %_HTML_ESCAPE map.
    • Removed /gex eval from apos_map substitution; uses alternation regex + /g.
  • Enhancements
    • Added the ™ (trade mark) character for both HTML (™) and XML (™)
    • Added regression test for č (č / č)
    • Added Ž (Ž / Ž) character support and regression test
    • Added bin/wide2html and bin/wide2xml command-line scripts
    • Added t/security.t: regression suite for all security fixes above.
    • _sub_map internal helper now uses O(1) hash lookup (was O(n) grep per match).
    • %_EXTRA_ENTITY_MAP / $_EXTRA_ENTITY_RE hoisted to module-level compile-time constants (were rebuilt on every call).
  • Bug Fixes
    • Fixed entity_map pre-decode (č, ž etc.) which was silently ignored due to single-character regex.
    • Fixed &Iicrc; typo in pass-3 HTML byte_map (correct spelling: Î).
    • wide_to_xml() undef error message now reads "wide_to_xml() string not set" (was "string not set"), consistent with wide_to_html().
  • Removed
    • Removed Term::ANSIColor runtime dependency (was used only in now-deleted debug instrumentation).
    • Removed ~30 commented-out print STDERR debug blocks from source.
  • Documentation
    • All POD die references corrected to croak (error location is caller's, not the module's internals).
    • PSEUDOCODE steps updated to reflect the keep_hrefs entity-decode suppression.
    • FORMAL SPECIFICATION corrected: wide_to_xml error string and croak vs die.
    • SYNOPSIS XML example corrected to show actual zero-padded output (é).
    • keep_hrefs POD documents the XSS-prevention side effect.
    • DESCRIPTION bullet items fixed (C<< >> form prevents fat-comma rendering bug).
    • README.md regenerated from POD.
  • Meta
    • LICENSE field corrected from 'GPL' to 'gpl_2' (CPAN meta-spec v2 identifier).
    • Repository URL changed from git:// to https:// (git:// dropped by GitHub 2022).
    • Time::HiRes added to TEST_REQUIRES in Makefile.PL and cpanfile.
    • Term::ANSIColor removed from PREREQ_PM / cpanfile (no longer used at runtime).

Documentation

Modules

Convert wide characters (Unicode, UTF-8, etc.) into ASCII-safe HTML or XML entities