Skip to content

Conversation

@notriddle
Copy link
Contributor

Problem reported in

#2742 (comment)

@rustbot rustbot added the S-waiting-on-review Status: waiting on a review label Jul 8, 2025
Copy link
Contributor

@ehuss ehuss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ehuss ehuss added this pull request to the merge queue Jul 8, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 8, 2025
@ehuss ehuss enabled auto-merge July 8, 2025 22:47
@ehuss ehuss added this pull request to the merge queue Jul 8, 2025
Merged via the queue into rust-lang:master with commit 0ac89dd Jul 8, 2025
14 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: waiting on a review label Jul 8, 2025
@notriddle notriddle deleted the patch-1 branch July 9, 2025 21:16
facebook-github-bot pushed a commit to facebook/pyrefly that referenced this pull request Sep 25, 2025
…071 - 2025-09-21: Incorrect handling of embedded SVG and MathML leads to mutation XSS after removal)

Summary:
mdbook imports ammonia for which a vulnerability exist in v3, fortunately the current mdbook uses a fixed version so we can get rid of the vulnerability by upgrading its only dependant.

# Changelog

## mdBook 0.4.52
[v0.4.51...v0.4.52](rust-lang/mdBook@v0.4.51...v0.4.52)

**Note:** If you have a custom `index.hbs` theme file, it is recommended that you update it to the latest version to pick up the fixes in this release.

### Added
- Added the ability to redirect `#` HTML fragments using the existing `output.html.redirect` table.
  [#2747](rust-lang/mdBook#2747)
- Added the `rel="edit"` attribute to the edit page button.
  [#2702](rust-lang/mdBook#2702)

### Changed
- The search index is now only loaded when the search input is opened instead of always being loaded.
  [#2553](rust-lang/mdBook#2553)
  [#2735](rust-lang/mdBook#2735)
- The `mdbook serve` command has switched its underlying server library from warp to axum.
  [#2748](rust-lang/mdBook#2748)
- Updated dependencies.
  [#2752](rust-lang/mdBook#2752)

### Fixed
- The sidebar is now set to `display:none` when it is hidden in order to prevent the browser's search from thinking the sidebar's text is visible.
  [#2725](rust-lang/mdBook#2725)
- Fixed search index URL not updating correctly when `hash-files` is enabled.
  [#2742](rust-lang/mdBook#2742)
  [#2746](rust-lang/mdBook#2746)
- Fixed several sidebar animation bugs, particularly when manually resizing.
  [#2750](rust-lang/mdBook#2750)

## mdBook 0.4.51
[v0.4.50...v0.4.51](rust-lang/mdBook@v0.4.50...v0.4.51)

### Fixed
- Fixed regression that broke the `S` search hotkey.
  [#2713](rust-lang/mdBook#2713)

## mdBook 0.4.50
[v0.4.49...v0.4.50](rust-lang/mdBook@v0.4.49...v0.4.50)

### Added

- Added a keyboard shortcut help popup when pressing `?`.
  [#2608](rust-lang/mdBook#2608)

### Changed

- Changed the look of the sidebar resize handle to match the new rustdoc format.
  [#2691](rust-lang/mdBook#2691)
- `/` can now be used to open the search bar.
  [#2698](rust-lang/mdBook#2698)
- Pressing enter from the search bar will navigate to the first entry.
  [#2698](rust-lang/mdBook#2698)
- Updated `opener` to drop some dependencies.
  [#2709](rust-lang/mdBook#2709)
- Updated dependencies, MSRV raised to 1.82.
  [#2711](rust-lang/mdBook#2711)

### Fixed

- Fixed uncaught exception when pressing down when there are no search results.
  [#2698](rust-lang/mdBook#2698)
- Fixed syntax highlighting of Rust code in the ACE editor.
  [#2710](rust-lang/mdBook#2710)

## mdBook 0.4.49
[v0.4.48...v0.4.49](rust-lang/mdBook@v0.4.48...v0.4.49)

### Added

- Added a warning on unused fields in the root of `book.toml`.
  [#2622](rust-lang/mdBook#2622)

### Changed

- Updated dependencies.
  [#2650](rust-lang/mdBook#2650)
  [#2688](rust-lang/mdBook#2688)
- Updated minimum Rust version to 1.81.
  [#2688](rust-lang/mdBook#2688)
- The unused `book.multilingual` field is no longer serialized, or shown in `mdbook init`.
  [#2689](rust-lang/mdBook#2689)
- Speed up search index loading by using `JSON.parse` instead of parsing JavaScript.
  [#2633](rust-lang/mdBook#2633)

### Fixed

- Search highlighting will not try to highlight in SVG `<text>` elements because it breaks the element.
  [#2668](rust-lang/mdBook#2668)
- Fixed scrolling of the sidebar when a search highlight term is in the URL.
  [#2675](rust-lang/mdBook#2675)
- Fixed issues when multiple footnote definitions use the same ID. Now, only one definition is used, and a warning is displayed.
  [#2681](rust-lang/mdBook#2681)
- The sidebar is now restricted to 80% of the viewport width to make it possible to collapse it when the viewport is very narrow.
  [#2679](rust-lang/mdBook#2679)

## mdBook 0.4.48
[v0.4.47...v0.4.48](rust-lang/mdBook@v0.4.47...v0.4.48)

### Added

- Footnotes now have back-reference links. These links bring the reader back to the original location. As part of this change, footnotes are now only rendered at the bottom of the page. This also includes some styling updates and fixes for footnote rendering.
  [#2626](rust-lang/mdBook#2626)
- Added an "Auto" theme selection option which will default to the system-preferred mode. This will also automatically switch when the system changes the preferred mode.
  [#2576](rust-lang/mdBook#2576)

### Changed

- The `searchindex.json` file has been removed; only the `searchindex.js` file will be generated.
  [#2552](rust-lang/mdBook#2552)
- Updated Javascript code to use eslint.
  [#2554](rust-lang/mdBook#2554)
- An error is generated if there are duplicate files in `SUMMARY.md`.
  [#2613](rust-lang/mdBook#2613)

## mdBook 0.4.47
[v0.4.46...v0.4.47](rust-lang/mdBook@v0.4.46...v0.4.47)

### Fixed

- Fixed search not showing up in sub-directories.
  [#2586](rust-lang/mdBook#2586)

## mdBook 0.4.46
[v0.4.45...v0.4.46](rust-lang/mdBook@v0.4.45...v0.4.46)

### Changed

- The `output.html.hash-files` config option has been added to add hashes to static filenames to bust any caches when a book is updated. `{{resource}}` template tags have been added so that links can be properly generated to those files.
  [#1368](rust-lang/mdBook#1368)

### Fixed

- Playground links for Rust 2024 now set the edition correctly.
  [#2557](rust-lang/mdBook#2557)

## mdBook 0.4.45
[v0.4.44...v0.4.45](rust-lang/mdBook@v0.4.44...v0.4.45)

### Changed

- Added context to error message when rustdoc is not found.
  [#2545](rust-lang/mdBook#2545)
- Slightly changed the styling rules around margins of footnotes.
  [#2524](rust-lang/mdBook#2524)

### Fixed

- Fixed an issue where it would panic if a source_path is not set.
  [#2550](rust-lang/mdBook#2550)

## mdBook 0.4.44
[v0.4.43...v0.4.44](rust-lang/mdBook@v0.4.43...v0.4.44)

### Added

- Added pre-built aarch64-apple-darwin binaries to the releases.
  [#2500](rust-lang/mdBook#2500)
- `mdbook clean` now shows a summary of what it did.
  [#2458](rust-lang/mdBook#2458)
- Added the `output.html.search.chapter` config setting to disable search indexing of individual chapters.
  [#2533](rust-lang/mdBook#2533)

### Fixed

- Fixed auto-scrolling the side-bar when loading a page with a `#` fragment URL.
  [#2517](rust-lang/mdBook#2517)
- Fixed display of sidebar when javascript is disabled.
  [#2529](rust-lang/mdBook#2529)
- Fixed the sidebar visibility getting out of sync with the button.
  [#2532](rust-lang/mdBook#2532)

### Changed

- ❗ Rust code block hidden lines now follow the same logic as rustdoc. This requires a space after the `#` symbol.
  [#2530](rust-lang/mdBook#2530)
- ❗ Updated the Linux pre-built binaries which requires a newer version of glibc (2.34).
  [#2523](rust-lang/mdBook#2523)
- Updated dependencies
  [#2538](rust-lang/mdBook#2538)
  [#2539](rust-lang/mdBook#2539)

## mdBook 0.4.43
[v0.4.42...v0.4.43](rust-lang/mdBook@v0.4.42...v0.4.43)

### Fixed

- Fixed setting the title in `mdbook init` when no git user is configured.
  [#2486](rust-lang/mdBook#2486)

### Changed

- The Rust 2024 edition no longer needs `-Zunstable-options`.
  [#2495](rust-lang/mdBook#2495)

## mdBook 0.4.42
[v0.4.41...v0.4.42](rust-lang/mdBook@v0.4.41...v0.4.42)

### Fixed

- Fixed chapter list folding.
  [#2473](rust-lang/mdBook#2473)

## mdBook 0.4.41
[v0.4.40...v0.4.41](rust-lang/mdBook@v0.4.40...v0.4.41)

**Note:** If you have a custom `index.hbs` theme file, you will need to update it to the latest version.

### Added

- Added preliminary support for Rust 2024 edition.
  [#2398](rust-lang/mdBook#2398)
- Added a full example of the remove-emphasis preprocessor.
  [#2464](rust-lang/mdBook#2464)

### Changed

- Adjusted styling of clipboard/play icons.
  [#2421](rust-lang/mdBook#2421)
- Updated to handlebars v6.
  [#2416](rust-lang/mdBook#2416)
- Attr and section rules now have specific code highlighting.
  [#2448](rust-lang/mdBook#2448)
- The sidebar is now loaded from a common file, significantly reducing the book size when there are many chapters.
  [#2414](rust-lang/mdBook#2414)
- Updated dependencies.
  [#2470](rust-lang/mdBook#2470)

### Fixed

- Improved theme support when JavaScript is disabled.
  [#2454](rust-lang/mdBook#2454)
- Fixed broken themes when localStorage has an invalid theme id.
  [#2463](rust-lang/mdBook#2463)
- Adjusted the line-height of superscripts (and footnotes) to avoid adding extra space between lines.
  [#2465](rust-lang/mdBook#2465)

## mdBook 0.4.40
[v0.4.39...v0.4.40](rust-lang/mdBook@v0.4.39...v0.4.40)

### Fixed

- Reverted the update to pulldown-cmark which broke the semver API.
  [#2388](rust-lang/mdBook#2388)

## mdBook 0.4.39
[v0.4.38...v0.4.39](rust-lang/mdBook@v0.4.38...v0.4.39)

### Fixed

- Fixed the automatic deploy broken in the previous release.
  [#2383](rust-lang/mdBook#2383)

## mdBook 0.4.38
[v0.4.37...v0.4.38](rust-lang/mdBook@v0.4.37...v0.4.38)

### Added

- Added `nix` to the default set of languages supported for syntax highlighting.
  [#2262](rust-lang/mdBook#2262)

### Changed

- The `output.html.curly-quotes` option has been renamed to `output.html.smart-punctuation` to better reflect what it does. The old option `curly-quotes` is kept for compatibility, but may be removed in the future.
  [#2327](rust-lang/mdBook#2327)
- The file-watcher used in `mdbook serve` and `mdbook watch` now uses a poll-based watcher instead of the native operating system notifications. This should fix issues on various systems and environments, and more accurately detect when files change. The native watcher can still be used with the `--watcher native` CLI option.
  [#2325](rust-lang/mdBook#2325)
- `mdbook test` output now includes color, and shows relative paths to the source.
  [#2259](rust-lang/mdBook#2259)
- Updated dependencies, MSRV raised to 1.74
  [#2350](rust-lang/mdBook#2350)
  [#2351](rust-lang/mdBook#2351)
  [#2378](rust-lang/mdBook#2378)
  [#2381](rust-lang/mdBook#2381)

### Fixed

- Reduced memory allocation when copying files.
  [#2355](rust-lang/mdBook#2355)
- Fixed the horizontal divider in `SUMMARY.md` from being indented into the previous nested section.
  [#2364](rust-lang/mdBook#2364)
- Removed unnecessary `import` in the CSS.
  [#2260](rust-lang/mdBook#2260)

## mdBook 0.4.37
[v0.4.36...v0.4.37](rust-lang/mdBook@v0.4.36...v0.4.37)

### Changed
- ❗️ Updated the markdown parser. This brings in many changes to more closely follow the CommonMark spec. This may cause some small rendering changes. It is recommended to compare the output of the old and new version to check for changes. See <https://github.com/raphlinus/pulldown-cmark/releases/tag/v0.10.0> for more information.
  [#2308](rust-lang/mdBook#2308)
- The warning about the legacy `src/theme` directory has been removed.
  [#2263](rust-lang/mdBook#2263)
- Updated dependencies. MSRV raised to 1.71.0.
  [#2283](rust-lang/mdBook#2283)
  [#2293](rust-lang/mdBook#2293)
  [#2297](rust-lang/mdBook#2297)
  [#2310](rust-lang/mdBook#2310)
  [#2309](rust-lang/mdBook#2309)
- Some internal performance/memory improvements.
  [#2273](rust-lang/mdBook#2273)
  [#2290](rust-lang/mdBook#2290)
- Made the `pathdiff` dependency optional based on the `watch` feature.
  [#2291](rust-lang/mdBook#2291)

### Fixed
- The `s` shortcut key handler should not trigger when focus is in an HTML form.
  [#2311](rust-lang/mdBook#2311)

## mdBook 0.4.36
[v0.4.35...v0.4.36](rust-lang/mdBook@v0.4.35...v0.4.36)

### Added
- Added Nim to the default highlighted languages.
  [#2232](rust-lang/mdBook#2232)
- Added a small indicator for the sidebar resize handle.
  [#2209](rust-lang/mdBook#2209)

### Changed
- Updated dependencies. MSRV raised to 1.70.0.
  [#2173](rust-lang/mdBook#2173)
  [#2250](rust-lang/mdBook#2250)
  [#2252](rust-lang/mdBook#2252)

### Fixed
- Fixed blank column in print page when the sidebar was visible.
  [#2235](rust-lang/mdBook#2235)
- Fixed indentation of code blocks when Javascript is disabled.
  [#2162](rust-lang/mdBook#2162)
- Fixed a panic when `mdbook serve` or `mdbook watch` were given certain kinds of paths.
  [#2229](rust-lang/mdBook#2229)

## mdBook 0.4.35
[v0.4.34...v0.4.35](rust-lang/mdBook@v0.4.34...v0.4.35)

### Added
- Added the `book.text-direction` setting for explicit support for right-to-left languages.
  [#1641](rust-lang/mdBook#1641)
- Added `rel=prefetch` to the "next" links to potentially improve browser performance.
  [#2168](rust-lang/mdBook#2168)
- Added a `.warning` CSS class which is styled for displaying warning blocks.
  [#2187](rust-lang/mdBook#2187)

### Changed
- Better support of the sidebar when JavaScript is disabled.
  [#2175](rust-lang/mdBook#2175)

## mdBook 0.4.34
[v0.4.33...v0.4.34](rust-lang/mdBook@v0.4.33...v0.4.34)

### Fixed
- Fixed file change watcher failing on macOS with a large number of files.
  [#2157](rust-lang/mdBook#2157)

## mdBook 0.4.33
[v0.4.32...v0.4.33](rust-lang/mdBook@v0.4.32...v0.4.33)

### Added
- The `color-scheme` CSS property is now set based on the light/dark theme, which applies some slight color differences in browser elements like scroll bars on some browsers.
  [#2134](rust-lang/mdBook#2134)

### Fixed
- Fixed watching of extra-watch-dirs when not running in the book root directory.
  [#2146](rust-lang/mdBook#2146)
- Reverted the dependency update to the `toml` crate (again!). This was an unintentional breaking change in 0.4.32.
  [#2021](rust-lang/mdBook#2021)
- Changed macOS change notifications to use the kqueue implementation which should fix some issues with repeated rebuilds when a file changed.
  [#2152](rust-lang/mdBook#2152)
- Don't set a background color in the print page for code blocks in a header.
  [#2150](rust-lang/mdBook#2150)

## mdBook 0.4.32
[v0.4.31...v0.4.32](rust-lang/mdBook@v0.4.31...v0.4.32)

### Fixed
- Fixed theme-color meta tag not syncing with the theme.
  [#2118](rust-lang/mdBook#2118)

### Changed
- Updated all dependencies.
  [#2121](rust-lang/mdBook#2121)
  [#2122](rust-lang/mdBook#2122)
  [#2123](rust-lang/mdBook#2123)
  [#2124](rust-lang/mdBook#2124)
  [#2125](rust-lang/mdBook#2125)
  [#2126](rust-lang/mdBook#2126)

## mdBook 0.4.31
[v0.4.30...v0.4.31](rust-lang/mdBook@v0.4.30...v0.4.31)

### Fixed
- Fixed menu border render flash during page navigation.
  [#2101](rust-lang/mdBook#2101)
- Fixed flicker setting sidebar scroll position.
  [#2104](rust-lang/mdBook#2104)
- Fixed compile error with proc-macro2 on latest Rust nightly.
  [#2109](rust-lang/mdBook#2109)

## mdBook 0.4.30
[v0.4.29...v0.4.30](rust-lang/mdBook@v0.4.29...v0.4.30)

### Added
- Added support for heading attributes.
  Attributes are specified in curly braces just after the heading text.
  An HTML ID can be specified with `#` and classes with `.`.
  For example: `## My heading {#custom-id .class1 .class2}`
  [#2013](rust-lang/mdBook#2013)
- Added support for hidden code lines for languages other than Rust.
  The `output.html.code.hidelines` table allows you to define the prefix character that will be used to hide code lines based on the language.
  [#2093](rust-lang/mdBook#2093)

### Fixed
- Fixed a few minor markdown rendering issues.
  [#2092](rust-lang/mdBook#2092)

## mdBook 0.4.29
[v0.4.28...v0.4.29](rust-lang/mdBook@v0.4.28...v0.4.29)

### Changed
- Built-in fonts are no longer copied when `fonts/fonts.css` is overridden in the theme directory.
  Additionally, the warning about `copy-fonts` has been removed if `fonts/fonts.css` is specified.
  [#2080](rust-lang/mdBook#2080)
- `mdbook init --force` now skips all interactive prompts as intended.
  [#2057](rust-lang/mdBook#2057)
- Updated dependencies
  [#2063](rust-lang/mdBook#2063)
  [#2086](rust-lang/mdBook#2086)
  [#2082](rust-lang/mdBook#2082)
  [#2084](rust-lang/mdBook#2084)
  [#2085](rust-lang/mdBook#2085)

### Fixed
- Switched from the `gitignore` library to `ignore`. This should bring some improvements with gitignore handling.
  [#2076](rust-lang/mdBook#2076)

## mdBook 0.4.28
[v0.4.27...v0.4.28](rust-lang/mdBook@v0.4.27...v0.4.28)

### Changed
- The sidebar is now shown on wide screens when localstorage is disabled.
  [#2017](rust-lang/mdBook#2017)
- Preprocessors are now run with `mdbook test`.
  [#1986](rust-lang/mdBook#1986)

### Fixed
- Fixed regression in 0.4.26 that prevented the title bar from scrolling properly on smaller screens.
  [#2039](rust-lang/mdBook#2039)

## mdBook 0.4.27
[v0.4.26...v0.4.27](rust-lang/mdBook@v0.4.26...v0.4.27)

### Changed
- Reverted the dependency update to the `toml` crate. This was an unintentional breaking change in 0.4.26.
  [#2021](rust-lang/mdBook#2021)

## mdBook 0.4.26
[v0.4.25...v0.4.26](rust-lang/mdBook@v0.4.25...v0.4.26)

**The 0.4.26 release has been yanked due to an unintentional breaking change.**

### Changed
- Removed custom scrollbars for webkit browsers
  [#1961](rust-lang/mdBook#1961)
- Updated some dependencies
  [#1998](rust-lang/mdBook#1998)
  [#2009](rust-lang/mdBook#2009)
  [#2011](rust-lang/mdBook#2011)
- Fonts are now part of the theme.
  The `output.html.copy-fonts` option has been deprecated.
  To define custom fonts, be sure to define `theme/fonts.css`.
  [#1987](rust-lang/mdBook#1987)

### Fixed
- Fixed overflow viewport issue with mobile Safari
  [#1994](rust-lang/mdBook#1994)

## mdBook 0.4.25
[e14d381...1ba74a3](rust-lang/mdBook@e14d381...1ba74a3)

### Fixed
- Fixed a regression where `mdbook test -L deps path-to-book` would not work.
  [#1959](rust-lang/mdBook#1959)

## mdBook 0.4.24
[eb77083...8767ebf](rust-lang/mdBook@eb77083...8767ebf)

### Fixed
- The precompiled linux-gnu mdbook binary available on [GitHub Releases](https://github.com/rust-lang/mdBook/releases) inadvertently switched to a newer version of glibc. This release goes back to an older version that should be more compatible on older versions of Linux.
  [#1955](rust-lang/mdBook#1955)

## mdBook 0.4.23
[678b469...68a75da](rust-lang/mdBook@678b469...68a75da)

### Changed
- Updated all dependencies
  [#1951](rust-lang/mdBook#1951)
  [#1952](rust-lang/mdBook#1952)
  [#1844](rust-lang/mdBook#1844)
- Updated minimum Rust version to 1.60.
  [#1951](rust-lang/mdBook#1951)

### Fixed
- Fixed a regression where playground code was missing hidden lines, preventing it from compiling correctly.
  [#1950](rust-lang/mdBook#1950)

## mdBook 0.4.22
[40c06f5...4844f72](rust-lang/mdBook@40c06f5...4844f72)

### Added
- Added a `--chapter` option to `mdbook test` to specify a specific chapter to test.
  [#1741](rust-lang/mdBook#1741)
- Added CSS styling for `<kbd>` tags.
  [#1906](rust-lang/mdBook#1906)
- Added pre-compiled binaries for `x86_64-unknown-linux-musl` and `aarch64-unknown-linux-musl` (see [Releases](https://github.com/rust-lang/mdBook/releases)).
  [#1862](rust-lang/mdBook#1862)
- Added `build.extra-watch-dirs` which is an array of additional directories to watch for changes when running `mdbook serve`.
  [#1884](rust-lang/mdBook#1884)

### Changed
- Removed the `type="text/javascript"` attribute from `<script>` tags.
  [#1881](rust-lang/mdBook#1881)
- Switched to building with Rust Edition 2021.
  This raises the minimum supported Rust version to 1.56.
  [#1887](rust-lang/mdBook#1887)
- When hidden code is hidden, the hidden parts are no longer copied to the clipboard via the copy button.
  [#1911](rust-lang/mdBook#1911)
- Various HTML changes and fixes to be more compliant with HTML5.
  [#1924](rust-lang/mdBook#1924)
- The theme picker now shows which theme is currently selected.
  [#1935](rust-lang/mdBook#1935)

### Fixed
- Avoid blank line at the end of an ACE code block
  [#1836](rust-lang/mdBook#1836)

Reviewed By: kuecks

Differential Revision: D83200549

fbshipit-source-id: 55b4adb5f5c9588c9b2b772f1b82909afe8c03cd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants