v0.2.0

What's Changed

• xpath3: fix format-integer picture validation and string arg atomization by @lestrrat in #487
• reject duplicate signedinfo in xmldsig1 verify by @lestrrat in #488
• confine nested external entities to configured fs by @lestrrat in #493
• fix key() panic on empty first argument by @lestrrat in #494
• confine FileURIResolver with os.Root by @lestrrat in #495
• bound sequence accumulation in xpath3 compositions by @lestrrat in #496
• fix schematron swallowing xpath eval errors by @lestrrat in #497
• xsd: require all xs:key fields to be present by @lestrrat in #498
• xmlenc1: bind aes key size to declared algorithm by @lestrrat in #491
• reject mismatched rsa-oaep digest and mgf by @lestrrat in #489
• validate element and attribute names on serialize by @lestrrat in #492
• xslt3: route schema-location loads through resolver by @lestrrat in #499
• fix xmlenc1 encrypt element in place by @lestrrat in #490
• extract EncryptedData test literal to const by @lestrrat in #505
• reject duplicate dtd enumeration tokens by @lestrrat in #500
• fix html parser spin on nul byte by @lestrrat in #501
• reject duplicate attributes in start tags by @lestrrat in #502
• fix catalog nil deref when no loader by @lestrrat in #503
• strip xml whitespace in xmlenc base64 fields by @lestrrat in #504
• strip xml whitespace from xmldsig1 base64 by @lestrrat in #506
• enforce recursion limit in EvaluateReuse by @lestrrat in #507
• fix self-loop when replacing node with its sibling by @lestrrat in #508
• validate time ranges in xs:time and xs:dateTime by @lestrrat in #509
• return ErrNilNode from WriteTo on nil node by @lestrrat in #510
• validate relaxng base64Binary lexical space by @lestrrat in #512
• restore var scope after xsl:try body by @lestrrat in #513
• reject non-singleton fn:index-of search value by @lestrrat in #515
• unlink children moved to primary result-document by @lestrrat in #516
• fix xs:dateTimeStamp comparisons by @lestrrat in #518
• fix runecursor read short-buffer panic by @lestrrat in #519
• fix double-counted fractional seconds in duration div by @lestrrat in #520
• preserve absolute uri base in c14n 1.1 fixup by @lestrrat in #521
• guard nil context node in absolute paths by @lestrrat in #523
• fail lint when xinclude processing errors by @lestrrat in #527
• include namespace nodes in signed subtree c14n by @lestrrat in #528
• reject trailing tokens in ParseSequenceType by @lestrrat in #533
• bound float frac rounding to avoid nan overflow by @lestrrat in #524
• fix format-integer CJK panic for large values by @lestrrat in #511
• process apply-templates selection in order by @lestrrat in #522
• surface bytecursor error returned with data by @lestrrat in #530
• reject malformed utf-16 in unparsed-text by @lestrrat in #531
• reject non-blank cdata in empty xsd content by @lestrrat in #517
• clear node context for atomic xsl:iterate items by @lestrrat in #525
• match xsd root element on full expanded name by @lestrrat in #529
• report invalid schematron value-of select by @lestrrat in #532
• fix cdata detection in xml normalization by @lestrrat in #534
• reject idc field selecting multiple nodes by @lestrrat in #535
• validate element and attribute names in stream writer by @lestrrat in #537
• apply arg coercion in named function references by @lestrrat in #536
• register used-package #all templates under modeAll by @lestrrat in #541
• fix xinclude double-resolve of relative base by @lestrrat in #526
• reject non-date/time args in fn:dateTime by @lestrrat in #540
• reject xs:import with mismatched namespace by @lestrrat in #543
• validate inline attribute simpleType by @lestrrat in #539
• validate shim encoder token names by @lestrrat in #538
• keep xsl:sequence order in document variables by @lestrrat in #544
• treat absolute-uri include/import hrefs as absolute by @lestrrat in #542
• order typed template results in document variables by @lestrrat in #545
• reject xmldsig signatures with no references by @lestrrat in #546
• route NewEvalState through newEvalCtx by @lestrrat in #548
• resolve inline attr type in idc key keys by @lestrrat in #555
• retain empty default and fixed constraints by @lestrrat in #551
• validate xsi:nil as xs:boolean lexical by @lestrrat in #557
• error on unsupported xinclude text encoding by @lestrrat in #547
• wire helium lint --encode through to output by @lestrrat in #552
• reject unsafe html element and attr names by @lestrrat in #549
• route relaxng xsd datatypes through value validator by @lestrrat in #550
• raise XTDE0860 in attribute capture branches by @lestrrat in #556
• use uri-aware resolution for xslt resources by @lestrrat in #558
• fix eval-reuse focus loss and frozen clock by @lestrrat in #560
• require xmldsig namespace for references by @lestrrat in #559
• fix xsd default/fixed presence and namespace by @lestrrat in #563
• fix xsi:nil for no-type elems and nillable lexical by @lestrrat in #561
• report unresolved xsd type references by @lestrrat in #554
• compare xsd fixed values in value space by @lestrrat in #553
• canonicalize idc fields in value space by @lestrrat in #562
• annotate skip and anytype idc elements by @lestrrat in #564
• fix xsd all particle qname matching by @lestrrat in #566
• guard docorder cache with a mutex by @lestrrat in #570
• treat undeclared general entity as fatal by @lestrrat in #572
• accept year zero in xsd date casts by @lestrrat in #573
• fix xslt3 output def mutation and item serialization by @lestrrat in #577
• guard nil schema and document in xsd validate by @lestrrat in #574
• detect duplicate named xsd components by @lestrrat in #571
• cap external dtd reads with byte limit by @lestrrat in #565
• reject multi-item qname and map:merge options args by @lestrrat in #576
• guard addchild against dom cycles by @lestrrat in #567
• fix xpath3 list and dateTimeStamp constructors by @lestrrat in #575
• bound external entity reads and check entity refs by @lestrrat in #569
• fix xsd list/union/qname facet validation by @lestrrat in #579
• fix xsd date and value-space validation by @lestrrat in #580
• canonicalize string-derived and duration map keys by @lestrrat in https:/...

v0.1.0

This is the first v0.1.x release. It is dominated by security and spec-correctness hardening, which tightens behavior for some inputs — hence the minor-version bump. The headline backwards-incompatible changes are called out below; the stricter-validation and error-propagation fixes that make up the rest of the hardening are in the full list further down.

⚠️ Breaking changes

Public API

• xsd: FacetSet.Pattern *string → FacetSet.Patterns []string (#455)

Security — file/URI access is now default-deny (requires a resolver / opt-in)

• xslt3: filesystem default-deny for stylesheet loads — xsl:import/xsl:include, output-format docs, and fn:transform(stylesheet-location=…) no longer read the local filesystem implicitly (#472)
• xslt3: xsl:source-document, xsl:merge, and fn:stream-available are routed through the resolver — no implicit disk reads (#467)
• xinclude: the XPointer inner parser is sandboxed (custom resolvers get a deny-all FS) to block XXE (#469)
• relaxng: BaseDir containment is enforced on all resolved hrefs; absolute and xml:base escapes are blocked (#464)
• xmldsig1: unsupported Reference transforms are rejected (fail-closed) instead of verifying against untransformed bytes (#463)

Changed evaluation results / output

• xpath1/xpath3: unprefixed name tests match only no-namespace nodes — previously matched any namespace (#466)
• xpath1: node-set vs boolean is compared as a set per XPath 1.0 REC §3.4 (#473)
• xpath1: external node-set variables are now returned in document order (#476)
• c14n: an explicitly empty node set now produces empty output — previously the full document (#461)
• schematron: attribute context nodes (e.g. context="@id") now execute their rules — previously dropped (#465)

The remainder of the release adds stricter input validation (parser/stream/xsd/xpath3) and surfaces previously-swallowed io.Writer errors. These can also reject inputs that earlier versions silently accepted; see the full list below.

---

What's Changed

• xpath3: allow partial application on maps and arrays by @lestrrat in #454
• xsd: OR multiple same-step pattern facets by @lestrrat in #455
• xsd: enforce XSD-only regex constructs in pattern facets by @lestrrat in #456
• xsd: fix char-class subtraction in pattern facets by @lestrrat in #457
• html: avoid rcdata hang on invalid end tag by @lestrrat in #458
• parser: guard malformed character references by @lestrrat in #459
• xslt3: init result-doc maps in fn:transform by @lestrrat in #460
• c14n: emit empty output for empty node set by @lestrrat in #461
• xpath3: range-check codepoints-to-string input by @lestrrat in #462
• xmldsig1: reject unsupported reference transforms by @lestrrat in #463
• relaxng: enforce basedir on all resolved hrefs by @lestrrat in #464
• schematron: validate attribute context nodes by @lestrrat in #465
• xpath: match unprefixed names in no namespace by @lestrrat in #466
• xslt3: route runtime uris through resolver by @lestrrat in #467
• writer: propagate io.Writer errors by @lestrrat in #468
• xinclude: sandbox inner parser to block xpointer XXE by @lestrrat in #469
• html: propagate serializer write errors by @lestrrat in #470
• xpath3: retry spurious regexp2 match timeouts by @lestrrat in #471
• xslt3: default-deny filesystem for stylesheet loads by @lestrrat in #472
• xpath1: compare node-set to boolean as a set by @lestrrat in #473
• parser: reject non-XML chars in text content by @lestrrat in #474
• xpath: reject fragment in base uri for empty arg by @lestrrat in #475
• xpath1: document-order external node-set vars by @lestrrat in #476
• xpath3: require xs:integer array positions by @lestrrat in #477
• xpath3: validate integer/cardinality in sequence fns by @lestrrat in #478
• xpath3: validate and bound to-operator operands by @lestrrat in #479
• xpath3: exact normalization of large integer map keys by @lestrrat in #480
• xmldsig1: reject out-of-range rsa exponent by @lestrrat in #484
• parser: validate cdata and width-aware slow paths by @lestrrat in #481
• stream: validate comment and pi well-formedness by @lestrrat in #485
• xpath3: validate args in math/map/json builtins by @lestrrat in #482
• xpath3: enforce builtin parameter signatures by @lestrrat in #483
• readme: list xmldsig1 and xmlenc1 packages by @lestrrat in #486

Full Changelog: v0.0.2...v0.1.0

v0.0.2

What's Changed

• add xmldsig1 and xmlenc1 packages by @lestrrat in #400
• Bump actions/upload-artifact from 4.6.2 to 7.0.0 by @dependabot[bot] in #401
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #402
• Bump golang.org/x/text from 0.35.0 to 0.36.0 by @dependabot[bot] in #403
• Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #405
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #406
• Bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #408
• Bump golang.org/x/net from 0.52.0 to 0.53.0 by @dependabot[bot] in #404
• Bump github.com/dlclark/regexp2 from 1.11.5 to 1.12.0 by @dependabot[bot] in #407
• Bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 by @dependabot[bot] in #409
• pin golangci-lint and fix lint by @lestrrat in #411
• Bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in #410
• Bump golang.org/x/net from 0.53.0 to 0.54.0 by @dependabot[bot] in #412
• route external resource loads through fs.FS by @lestrrat in #413
• xmlenc1: fix CBC padding oracle, XXE on decrypted plaintext, GCM AAD (H2) by @lestrrat in #416
• fix(h1): default-deny network and filesystem access in fn:doc and fn:unparsed-text by @lestrrat in #417
• xmldsig1: harden against XML Signature Wrapping (XSW) attacks by @lestrrat in #415
• export xsd.ValidationError; switch relaxng include guard to map by @lestrrat in #419
• xinclude: filepath.Clean resolved hrefs before fs.Open by @lestrrat in #420
• xpath3: bound regexp2 fallback with DefaultRegexMatchTimeout by @lestrrat in #421
• xpointer: add Compile for reusable pre-compiled expression by @lestrrat in #423
• xsd: cap xs:import recursion depth by @lestrrat in #422
• xpath3: expose DefaultMaxRecursionDepth as tunable var by @lestrrat in #424
• html: route silenced SAX callback errors via OnWarning; add Strict by @lestrrat in #426
• xinclude: address PR #420 review follow-ups by @lestrrat in #425
• xslt3: default-deny network/filesystem for fn:doc / document() by @lestrrat in #427
• html: surface short writes in latin1EncodingWriter by @lestrrat in #428
• parser: absolute entity-expansion ceiling survives RelaxLimits by @lestrrat in #429
• xpath3: raise DefaultRegexMatchTimeout to 5s by @lestrrat in #431
• schemas: reject schema location/href escaping baseDir by @lestrrat in #430
• Bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @dependabot[bot] in #432
• Bump actions/stale from 10.2.0 to 10.3.0 by @dependabot[bot] in #433
• Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #434
• Bump golang.org/x/net from 0.54.0 to 0.55.0 by @dependabot[bot] in #435
• Bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in #436
• xsd: deterministic extension-merge order by @lestrrat in #438
• Bump golang.org/x/text from 0.37.0 to 0.38.0 by @dependabot[bot] in #439
• xsd: consume non-first choice branch after an omitted optional element by @lestrrat in #443
• Bump golang.org/x/net from 0.55.0 to 0.56.0 by @dependabot[bot] in #440
• xsd: fractionDigits counts significant fraction digits, not lexical by @vfilter in #445
• xsd: honor group min/maxoccurs in lookahead by @lestrrat in #446
• relaxng: prefer consuming branch in naive choice by @lestrrat in #447
• relaxng: backtrack greedy members in naive group by @lestrrat in #449
• xsd: compare enumeration in value space by @lestrrat in #448
• xsd: 14h rule for mixed-tz datetime compare by @lestrrat in #450
• relaxng: backtrack token group and choice matching by @lestrrat in #451
• xsd: compare identity-constraint keys by value by @lestrrat in #452
• pin goreleaser version to v2.16.0 by @lestrrat in #453

New Contributors

• @vfilter made their first contribution in #445

Full Changelog: v0.0.1...v0.0.2

v0.0.1

Description

This is the initial release. Things should be somewhat stable, but still do be careful.

What's Changed

• Topic/stacked input by @lestrrat in #3
• Remove github.com/pkg/errors by @lestrrat in #4
• Update go.mod by @lestrrat in #5
• Fix parameter entity by @lestrrat in #6
• Tweak parserstate by @lestrrat in #7
• linting should match xmllint by @lestrrat in #8
• Test cleanup by @lestrrat in #9
• Lint by @lestrrat in #10
• Add .github by @lestrrat in #11
• Test libxml2 compat by @lestrrat in #14
• Implement XPath 1.0 engine by @lestrrat in #15
• Implement XInclude by @lestrrat in #16
• Implement XPointer and wire into XInclude by @lestrrat in #17
• Fix XInclude xml:base ancestor resolution and text char validation by @lestrrat in #18
• Fix CI workflow to trigger on all pushes by @lestrrat in #20
• Implement XSD validation Phase 1 (structural) by @lestrrat in #19
• Worktree fix ci workflow by @lestrrat in #21
• Implement external DTD loading for XInclude issue733 by @lestrrat in #22
• Add XML Catalog support; fix XInclude DTD propagation by @lestrrat in #23
• Implement C14N support by @lestrrat in #24
• Fix external entity resolution and internal entity substitution by @lestrrat in #25
• XSD by @lestrrat in #26
• Rename xmlschema package to xsd by @lestrrat in #27
• Implement HTML support by @lestrrat in #28
• add streaming XML writer package by @lestrrat in #30
• move encoding package to internal/encoding by @lestrrat in #31
• Migrate SAX2 functions to match interfaces by @lestrrat in #33
• Refactor html SAX by @lestrrat in #34
• rename helium-lint to heliumlint by @lestrrat in #35
• add schematron validation package by @lestrrat in #36
• Tweak and fix heliumlint by @lestrrat in #37
• add xpath operation/recursion limits by @lestrrat in #38
• fix entity amplification and ParseOption bits by @lestrrat in #39
• add RelaxNG validation support by @lestrrat in #32
• add push/streaming parser for XML and HTML by @lestrrat in #40
• add tree manipulation API by @lestrrat in #41
• move bitset logic to internal/bitset by @lestrrat in #42
• Chore cleanup md by @lestrrat in #43
• add xpath Function interface by @lestrrat in #44
• add formatted/indented XML output support by @lestrrat in #45
• add structured error API to ErrParseError by @lestrrat in #46
• add xsi:nil support to XSD validation by @lestrrat in #47
• add xpath custom function registration by @lestrrat in #48
• add ID/IDREF validation to DTD validity checks by @lestrrat in #50
• add XSD default/fixed value validation by @lestrrat in #49
• fix typo in ErrDTDDupToken error message by @lestrrat in #51
• Feat id idref validation by @lestrrat in #52
• fix xmlwriter DTD brackets and newline by @lestrrat in #53
• Fix extsubset lookup by @lestrrat in #54
• Feat xsd builtin types by @lestrrat in #55
• fix encoding alias coverage by @lestrrat in #56
• xpointer: add xpath1() scheme alias by @lestrrat in #57
• Feat xsd builtin types by @lestrrat in #58
• enforce ParseNoError flag in parser by @lestrrat in #59
• skip xml: prefix in dumpNs output by @lestrrat in #60
• xmlwriter: add trailing newline to StartDocument by @lestrrat in #61
• remove noscript from isHeadElement by @lestrrat in #62
• reject invalid predefined entity redeclaration by @lestrrat in #63
• add DTD root element name check by @lestrrat in #64
• add WithNoEmpty option for save by @lestrrat in #66
• fix entity redefinition to first-wins by @lestrrat in #67
• escape DTD entity content in xmlwriter by @lestrrat in #65
• xsd: add missing facet validation by @lestrrat in #68
• add xmlns() XPointer scheme by @lestrrat in #69
• add notation declaration serialization by @lestrrat in #70
• validate enumeration attr values against declared set by @lestrrat in #71
• add WithNoDecl option to suppress xml decl by @lestrrat in #72
• xsd: add full whiteSpace normalization by @lestrrat in #73
• c14n: reject relative namespace URIs by @lestrrat in #74
• add GetPublicId/GetSystemId to DocumentLocator by @lestrrat in #75
• fix schematron value-of semantics by @lestrrat in #76
• xsd: reject abstract types at validation time by @lestrrat in #77
• add xpointer circumflex escape handling by @lestrrat in #78
• add schematron compile-time validation checks by @lestrrat in #79
• xpointer: add cascading fallback for multiple parts by @lestrrat in #80
• add schematron output mode flags by @lestrrat in #81
• add UCS-4/UCS-2 encoding conversion by @lestrrat in #82
• add HTML parser and dump options by @lestrrat in #83
• add atype field to Attribute struct by @lestrrat in #84
• add StopParser for aborting parse from SAX callbacks by @lestrrat in #85
• add ParseInNodeContext for fragment parsing by @lestrrat in #86
• add newer parser options (NoXXE, SkipIDs, etc) by @lestrrat in #87
• add conditional sections in DTD parser by @lestrrat in #88
• add xs:redefine support to XSD compiler by @lestrrat in #89
• pre-index xpath document order for O(1) lookup by @lestrrat in #90
• document content model determinism assumption by @lestrrat in #91
• add xinclude validation strictness checks by @lestrrat in #92
• add namespace-qualified attr lookup in xinclude by @lestrrat in #93
• reject unconsumed children in matchContentModel by @lestrrat in #94
• fix dumpQuotedString dropping double quotes by @lestrrat in #95
• add AttrEntities case to dumpAttributeDecl by @lestrrat in #96
• reject colon in parseNCName start char by @lestrrat in #97
• fix XHTML void-element ns check for default ns by @lestrrat in #98
• require RNG namespace in isRNGElement by @lestrrat in #99
• fix relaxng getAncestorNS ns="" handling by @lestrrat in #100
• report unexpected children in schematron schema by @lestrrat in #101
• report error for value-of missing select by @lestrrat in #102
• limit xpointer circumflex escape to ^( ^) ^^ by @lestrrat in https://gith...