Changes for version 2.0213 - 2026-05-21
- SECURITY / BUG FIXES
- Revert PR #143 per the libxml2 author's request. PR #143 added a URL-scheme filter inside LibXML_load_external_entity and removed the EXTERNAL_ENTITY_LOADER_FUNC == NULL guards on the five Schema/RelaxNG NONET swap sites, on the premise that no_network on one parser should override a user-installed global externalEntityLoader. Nick Wellnhofer clarified that this contradicts upstream intent: XML_PARSE_NONET only polices libxml2's default loader; a user who installs a global loader is explicitly opting out of that policy, and the http/https/ftp allowlist was never a real security boundary. Reverted in full; PR #138's lifecycle/memory-safety fixes are kept.
- BUG FIXES
- Fix latent SEGV in _externalEntityLoader. The XS code returned &PL_sv_undef as RETVAL when no previous global loader existed. Because xsubpp auto-mortalizes SV* RETVAL, each call mortalized the PL_sv_undef singleton, eventually driving its refcount negative and producing "Attempt to free unreferenced scalar" followed by SEGV under repeated invocation. Now returns newSV(0) so RETVAL is always a fresh refcount-1 SV safe to mortalize. The bug shipped in 2.0212 with PR #138's lifecycle fixes; this is a single-line correction to that code path.
- MAINTENANCE
- Add t/49global_extent_with_no_network.t, 17 subtests locking in the entity-loader contract restored by the GH #168 revert: a user-installed global loader takes precedence over no_network across plain XML parse, RelaxNG, and XML Schema, while no_network without any loader still blocks via libxml2's default loader.
- Document the entity-loader contract in CLAUDE.md ("Entity loaders, no_network, and XML_PARSE_NONET") plus a "Verifying audit-flagged security findings" checklist to keep pattern-matched "security fixes" like PR #143 from shipping again.
Documentation
XML::LibXML Attribute Class
XML::LibXML Class for CDATA Sections
XML::LibXML Comment Class
XML::LibXML DOM Implementation
XML::LibXML DOM Document Class
XML::LibXML's DOM L2 Document Fragment Implementation
XML::LibXML DTD Handling
XML::LibXML Class for Element Nodes
XML::LibXML Class for Input Callbacks
A map for named nodes
XML::LibXML Namespace Implementation
Abstract Base Class of XML::LibXML Nodes
XML::LibXML Processing Instructions
Parsing XML Data with XML::LibXML
XML::LibXML::Pattern - interface to libxml2 XPath patterns
XML::LibXML::RegExp - interface to libxml2 regular expressions
RelaxNG Schema Validation
XML Schema Validation
XML::LibXML Class for Text Nodes
XML::LibXML::XPathExpression - interface to libxml2 pre-compiled XPath expressions
semi-automatically and partially convert Test.pm scripts to Test::More.
Modules
Perl Binding for libxml2
tie an XML::LibXML::Element to a hash to access its attributes
Boolean true/false values
Constants and Character Encoding Routines
makes functions from LibXML.xs available
Structured Errors
Structured Errors
Simple string values.
a list of XML document nodes
Simple numeric values.
XML::LibXML::Reader - interface to libxml2 pull parser
XML::LibXML direct SAX parser
Building DOM trees from SAX events.
Generate SAX events from a LibXML tree
XPath Evaluation
Provides
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in lib/XML/LibXML/SAX/Generator.pm
in lib/XML/LibXML/SAX/Parser.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
in LibXML.pm
Examples
- example/JBR-ALLENtrees.htm
- example/article.xml
- example/article_bad.xml
- example/article_external_bad.xml
- example/article_internal.xml
- example/article_internal_bad.xml
- example/bad.dtd
- example/bad.xml
- example/catalog.xml
- example/cb_example.pl
- example/complex/complex.dtd
- example/complex/complex.xml
- example/complex/complex2.xml
- example/complex/dtd/f.dtd
- example/complex/dtd/g.dtd
- example/create-sample-html-document.pl
- example/dromeds.xml
- example/dtd.xml
- example/enc2_latin2.html
- example/enc_latin2.html
- example/ext_ent.dtd
- example/hello-world.pl
- example/ns.xml
- example/test.dtd
- example/test.html
- example/test.xhtml
- example/test.xml
- example/test2.xml
- example/test3.xml
- example/test4.xml
- example/thedieline.rss
- example/utf-16-1.html
- example/utf-16-2.html
- example/utf-16-2.xml
- example/xmlns/badguy.xml
- example/xmlns/goodguy.xml
- example/xpath.pl
- example/yahoo-finance-html-with-errors.html