Changes for version 2.0210_11 - 2026-05-19
- SECURITY / BUG FIXES
- Prevent out-of-bounds UTF-8 read in domParseChar by replacing it with libxml2's xmlValidateName. Truncated multi-byte sequences could cause heap reads past the NUL terminator across five DOM entry points (createElement, createAttribute, setNodeName, etc.).
- Enforce no_network even when a global externalEntityLoader is set. Previously XML_PARSE_NONET was silently ignored once a global callback was installed, enabling SSRF in multi-module applications that combine a third-party entity loader with no_network parsers.
- Prevent integer overflow in SAX CBuffer length tracking. Total character data exceeding INT_MAX (~2GB) overflowed the accumulator causing xmlMalloc to under-allocate and the subsequent memcpy to write past the buffer.
- Proper lifecycle management for externalEntityLoader: the global loader can now be cleared or replaced safely, the previous handler SV is no longer leaked, the returned value is a safe copy rather than the internal global SV, and per-parser ext_ent_handler state is separated from the global slot.
- Add NULL checks after xmlMalloc returns in SAX CBuffer operations, converting OOM segfaults into catchable Perl exceptions.
- Add NULL check after xmlCopyNamespace in _domReconcileNs, matching the existing guard in _domReconcileNsAttr.
- Plug 11 memory leaks across XS/C code, including setBaseURI, URI/documentURI accessors, load_catalog, PSaxCharactersFlush, createAttributeNS, XPathContext::_find, _newForIO, _toStringC14N, lookupNamespacePrefix, _setNamespace, and the generic XPath extension function dispatcher.
- Handle Apple's local libxml2 patch where xmlSAX2ResolveEntity throws on a NULL URI, so t/13dtd.t no longer dies on macOS.
- Skip t/50devel.t when mem_used() reports 0 bytes, which happens on Apple's libxml2 (system malloc bypasses the tracking wrappers).
- IMPROVEMENTS
- Resolve Windows CI test failures and compiler warnings: use the file size (-s) for the byteConsumed test instead of a hardcoded 488 (CRLF inflates the file to 507 bytes), use Perl UV/PTR2UV in PmmRegistryName to avoid pointer truncation under Win64 LLP64, and use const xmlError* for xmlCtxtGetLastError to match the libxml2 2.12+ API.
- Silence macOS build warnings cleanly by gating the libxml2 memory tracking API behind a HAVE_LIBXML_MEMORY_DEBUG feature macro. The deprecated calls are no longer compiled on systems where the API is gone (Apple SDK, libxml2 >= 2.14), mem_used is only exported when actually defined, and t/50devel.t skips with a clear reason. Also strip the bogus "-L/lib" entries Alien::Base::Wrapper injects into LDFLAGS on macOS.
- Add a minimal hello-world HTML example (example/hello-world.pl) and add createInternalSubset("html", ...) to both HTML examples so they emit a proper <!DOCTYPE html> declaration.
- Standardize XPath parameter naming to $xpath_expression throughout the DocBook source, matching the XML::LibXML::XPathExpression class name.
- Update outdated and dead references in README.md: point repository URLs at the canonical cpan-authors/XML-LibXML home, drop the defunct ActiveState mailing list, replace the long Windows nmake recipe with a Strawberry Perl note, refresh the macOS section, and bring the Package History up to date.
- Remove the stale "Known Issues" note about push-parser leaks. The leaks it referenced were fixed by Nick Wellnhofer in 2014.
- Point distribution metadata at the cpan-authors GitHub repo and add an explicit bugtracker entry so MetaCPAN's "Issues" link goes to GitHub Issues instead of falling back to rt.cpan.org.
- Add NamedNodeMap.pod to MANIFEST so the generated POD ships in the CPAN tarball; the L<XML::LibXML::NamedNodeMap> link in Node.pod now resolves on MetaCPAN.
- Update ppport.h and adopt its suggestions to reduce build issues.
- Fix test suite with libxml2 2.13.0 and 2.14.0.
- Remove tests that disable line numbers (always enabled since libxml2 2.15.0).
- Use `our $VERSION` instead of `use vars`.
- Fix formatting in docs/libxml.dbk.
- MAINTENANCE
- Modernize the CI workflow with a dynamic Perl version matrix, centralized cpanfile, and updated action versions.
- Use cpanm instead of cpm for the Linux CI matrix so jobs on Perl < 5.24 (down through 5.8) no longer fail to install dependencies.
- Expand CI platform coverage: FreeBSD 14.2, OpenBSD 7.6, NetBSD 10.1, Strawberry Perl on Windows, Fedora 43 container, AddressSanitizer, Devel::Cover + Codecov coverage upload, and a downstream XML::LibXSLT compatibility job.
- Fix BSD CI: use the correct OpenBSD package name (`libxml`, not `libxml2`) and install Perl dependencies explicitly instead of relying on META.json autodiscovery.
- Parallelize `make` compilation across CI jobs with platform-appropriate CPU detection.
- Temporarily disable OpenBSD 7.6 CI due to unreliable runners.
- Re-enable OpenBSD CI on version 7.8 once the runner situation stabilized.
- Add a CLAUDE.md describing project layout, build/test commands, libxml2 version landscape, and coding conventions.
- Add contributing guidelines covering CI, scope, MANIFEST, and version/release handling.
- Add AI_POLICY.md documenting how AI tools are used (and not used) in this project.
- Add MANIFEST.SKIP so local files (.hgignore, .tidyallrc, CLAUDE.md, etc.) are kept out of `make manifest` output.
- Drop unused dev helper (`tester.sh`) and the stale TODO file.
- Rename README to README.md and remove the obsolete Travis CI references.
Documentation
semi-automatically and partially convert Test.pm scripts to Test::More.
Modules
tie an XML::LibXML::Element to a hash to access its attributes
Boolean true/false values
makes functions from LibXML.xs available
Simple string values.
a list of XML document nodes
Simple numeric values.
Generate SAX events from a LibXML tree
Provides
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/Common.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/ErrNo.pm
in lib/XML/LibXML/Error.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/Reader.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/SAX.pm
in lib/XML/LibXML/SAX/Generator.pm
in lib/XML/LibXML/SAX/Builder.pm
in lib/XML/LibXML/SAX/Parser.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/XPathContext.pm
in LibXML.pm
in LibXML.pm
Examples
- example/JBR-ALLENtrees.htm
- example/article.xml
- example/article_bad.xml
- example/article_external_bad.xml
- example/article_internal.xml
- example/article_internal_bad.xml
- example/bad.dtd
- example/bad.xml
- example/catalog.xml
- example/cb_example.pl
- example/complex/complex.dtd
- example/complex/complex.xml
- example/complex/complex2.xml
- example/complex/dtd/f.dtd
- example/complex/dtd/g.dtd
- example/create-sample-html-document.pl
- example/dromeds.xml
- example/dtd.xml
- example/enc2_latin2.html
- example/enc_latin2.html
- example/ext_ent.dtd
- example/hello-world.pl
- example/ns.xml
- example/test.dtd
- example/test.html
- example/test.xhtml
- example/test.xml
- example/test2.xml
- example/test3.xml
- example/test4.xml
- example/thedieline.rss
- example/utf-16-1.html
- example/utf-16-2.html
- example/utf-16-2.xml
- example/xmllibxmldocs.pl
- example/xmlns/badguy.xml
- example/xmlns/goodguy.xml
- example/xpath.pl
- example/yahoo-finance-html-with-errors.html