# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1642680144 -3600
# Node ID 320de3e4b579fe5fdb50188eb2c2423eee5d74cc
# Parent  2bb4ee5f42bed1824ef3355c39cff5c1024fd78e# Parent  ebeb4d959fb3fdbc9235fd42e16a33f3f78241a8
Merge 0.11->trunk

diff -r 2bb4ee5f42be -r 320de3e4b579 .hgtags
--- a/.hgtags	Wed Jan 19 10:28:09 2022 +0100
+++ b/.hgtags	Thu Jan 20 13:02:24 2022 +0100
@@ -79,3 +79,4 @@
 d0e9ffccdef934af554ea2d4a5beb9a52e9e951d 0.11.9
 d117b92fd8e459170a98a8dece7f3930f4b6aed7 0.11.10
 76b4e3f12b53fedae96402d87fa9ee79e704ce5e 0.11.11
+783056b4e4480389d0e27883289b1bfef57e4729 0.11.12
diff -r 2bb4ee5f42be -r 320de3e4b579 util/xml.lua
--- a/util/xml.lua	Wed Jan 19 10:28:09 2022 +0100
+++ b/util/xml.lua	Thu Jan 20 13:02:24 2022 +0100
@@ -65,27 +65,19 @@
 		function handler:EndElement()
 			stanza:up();
 		end
-		local parser;
 		-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
-		function handler:StartDoctypeDecl()
+		local function restricted_handler(parser)
 			if not parser.stop or not parser:stop() then
 				error("Failed to abort parsing");
 			end
 		end
-		function handler:ProcessingInstruction()
-			if not parser.stop or not parser:stop() then
-				error("Failed to abort parsing");
-			end
-		end
+		handler.StartDoctypeDecl = restricted_handler;
+		handler.ProcessingInstruction = restricted_handler;
 		if not options or not options.allow_comments then
 			-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
-			function handler:Comment()
-				if not parser.stop or not parser:stop() then
-					error("Failed to abort parsing");
-				end
-			end
+			handler.Comment = restricted_handler;
 		end
-		parser = lxp.new(handler, ns_separator);
+		local parser = lxp.new(handler, ns_separator);
 		local ok, err, line, col = parser:parse(xml);
 		if ok then ok, err, line, col = parser:parse(); end
 		--parser:close();