What's Changed

• updated pull-parser version by @jayknoxqu in https://github.com/dom4j/dom4j/pull/129
• Reuse the writeAttribute method in writeAttributes. by @Ekryd in https://github.com/dom4j/dom4j/pull/134
• support build on OS with non-UTF8 as default charset by @qxo in https://github.com/dom4j/dom4j/pull/96
• Gradle: add an automatic module name (fixes #67) by @carlosame in https://github.com/dom4j/dom4j/pull/84
• Use Correct License Name "Plexus" by @tisoft in https://github.com/dom4j/dom4j/pull/98

New Contributors

• @jayknoxqu made their first contribution in https://github.com/dom4j/dom4j/pull/129
• @Ekryd made their first contribution in https://github.com/dom4j/dom4j/pull/134
• @qxo made their first contribution in https://github.com/dom4j/dom4j/pull/96
• @carlosame made their first contribution in https://github.com/dom4j/dom4j/pull/84
• @tisoft made their first contribution in https://github.com/dom4j/dom4j/pull/98

Full Changelog: https://github.com/dom4j/dom4j/compare/version-2.1.3...version-2.1.4

Improvements

• Added new factory method org.dom4j.io.SAXReader.createDefault(). It hase more secure defaults than new SAXReader(), which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser(). SAXReader.createDefault() disable parsing of external entities in the SAX parser.

Branch 2.0.x for Java 1.5 aligned with branch 2.1.x.

Improvements

• Added new factory method org.dom4j.io.SAXReader.createDefault(). It hase more secure defaults than new SAXReader(), which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser(). SAXReader.createDefault() disable parsing of external entities in the SAX parser.

Bug fix release.

Potential breaking changes

• If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j.
• Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were enabled in previous versions):
  • http://xml.org/sax/properties/external-general-entities
  • http://xml.org/sax/properties/external-parameter-entities

Fixed issues

• #28 Possible vulnerability of DocumentHelper.parseText() to XML injection (reported by @s0m30ne)
• #34 CVS directories left in the source tree (reported by @ebourg)
• #38 XMLWriter does not escape supplementary unicode characters correctly (reported by @abenkovskii)
• #39 writer.writeOpen(x) doesn't write namespaces (reported by @borissmidt)
• #40 concurrency problem with QNameCache (@jbennett2091)
• #43 and #46 all dependencies are optional (reported by @Zardoz89 and @vmassol)
• #44 SAXReader: hardcoded namespace features (reported by @philippeu)
• #48 validate QNames (reported by @mario-areias)

Minimum supported version of Java for this branch upgraded to Java 8. Added support for build with Java 9.

This release contain only bug-fixes:

• StringIndexOutOfBoundsException in XMLWriter.writeElementContent() (#26)
• TreeNode has grown some generics

This release contain only bug-fixes:

• QName serialization fix (#17)
• DocumentException initialize with nested exception (#20)
• Accidentally occurring error in a multi-threaded test (#14)

• compatibility with W3C DOM Level 3 → compatible with Java 5+
• use Java generics

• sources can be build with JDK 1.5 or newer (implements W3C DOM Level 3)
• all classes and interfaces are generified

Released on March 14, 2002.