Release 1.1

[carlosame]

Version 1.1 will be released soon and this issue is mainly about the release notes. If something is missing or unclear please comment here.

Highlights

Security fixes

Two security vulnerabilities in the util module were fixed:

• Arbitrary file access during archive extraction ("Zip Slip") [VERY LOW IMPACT] #98 [CWE-22]
• Set connect and read timeouts in ParsedURLData [BATIK-1366] [CWE-770]

Adapt to new module name of xmlgraphics-commons

The next version of the xmlgraphics-commons dependency will use the org.apache.xmlgraphics.commons module name, different to the one that was being used in EchoSVG until now (based on the Maven filename-based module name).

If you experience any difficulty due to the change, please use a plugin like Moditect for Maven or extra-java-module-info for Gradle. Or you could wait until the next version of xmlgraphics-commons is released and then set an explicit dependency.

More SVG2 compatibility

• More resilience against missing or wrong href, width, height, rx, ry, x and y attributes.
• Full support for the namespaceless href attribute even in animations.

PNG codecs now support ICC color profiles

The native PNG codec and the ImageIO WriteAdapter now support color profiles automatically.

Color profiles in SVG Generator, in colors and embedded PNG images

See https://github.com/css4j/echosvg/wiki/SVG-Generator

Configurable compression level for embedded PNG images in the SVG Generator

See SVGGeneratorContext.setCompressionLevel().

New rendering hints in the PNG transcoder

Rendering hints KEY_KEYWORD_TEXT, KEY_INTERNATIONAL_TEXT and KEY_COMPRESSED_TEXT allow embedding textual information (like copyright, author, description, etc) in rendered PNG images. And KEY_COMPRESSION_LEVEL sets the compression level used in the PNG encoding (the default native encoder uses 9 by default, which is excessive for some use cases).

All of these hints work with both the native and the ImageIO adapters.

Per-module Fat-jars

If you manage your classpath manually and only require a specific module, get a fat-jar specific for your use case.

See https://github.com/css4j/echosvg/wiki/Uber-Jar

Detail of changes

• util: fix arbitrary file access during archive extraction. [security, CWE-22]
• util: set connect and read timeouts in ParsedURLData [BATIK-1366]. [security, CWE-770]
• Modules: switch to org.apache.xmlgraphics.commons as xmlgraphics-commons module name.
• Remove a few redundant interface usages, other cleanups.
• anim: support animatable namespaceless href attribute from SVG2.
• anim: allow missing width and height attributes in <rect> [SVG2].
• anim, bridge: the version attribute isn't part of SVG anymore, just check for 1.2.
• bridge: be tolerant to missing or malformed href attribute in image elements [SVG2].
• bridge: tolerate wrong width, height, rx and ry attributes in <rect> [SVG2].
• bridge: tolerate wrong or missing rx and ry attributes in <ellipse>, r in <circle> [SVG2].
• bridge: more resilience against missing or incorrect shape attributes [SVG2].
• bridge: nullcheck the animation engine in SVGAnimationEngine.
• codec: support ICC color profiles in native PNG codec.
• codec: fix NPE writing the zTXt chunk.
• codec: support ICC color profiles in ImageIOPNGImageWriter.
• codec: configure the PNG compression level, support all the text chunks.
• codec: add a null check in ImageIOJPEGImageWriter, other small improvements.
• css: remove dependency on xmlgraphics-commons.
• dom: check the namespaceless href attribute first.
• extension: simplify ColorSwitchBridge.createPaint().
• extension: resource was in a directory with wrong name.
• script: give access to org.mozilla.javascript.EcmaError in the Rhino shutter [BATIK-912].
• svggen: support colors in non-sRGB color spaces, via color() function.
• svggen: support images based on ICC color profiles in drawImage().
• svggen: make the compression level of the embedded PNG images configurable.
• svggen: add Mac Glyph names for 210 & 257.
• transcoder: add the KEY_COMPRESSION_LEVEL, KEY_KEYWORD_TEXT, KEY_INTERNATIONAL_TEXT and KEY_COMPRESSED_TEXT hints.
• transcoder: do not close the output stream in PNGImageEncoder.
• Unmerge codec packages from transcoder module, except for three classes.
• dom: fix XPath regression introduced by commit 8164dd7 (BATIK-1329: Remove xalan). Bug reported by Pavel Braginskiy on July 17 to the batik-users mailing list.
• JMH: move DoubleStringPerformanceMark to a svggen.jmh package for improved modular compatibility.
• Source formatting (pre-requisite to enable code style tools).
• Enable checks with the Checkstyle static analysis tool.
• Tests: test images from canvg's test suite Add images from canvg's test suite #92.
• Tests: switch to a SVG 1.1 DTD in a number of test sample files.
• Tests: refactor to be more IDE-friendly.
• Tests: fix CodeQL alert 28.
• Tests: a number of other improvements.
• Distribution: add a Main-Class attribute to a few manifests.
• Gradle: use implementation instead of api in several places.
• Gradle: add the ability to create all-deps jar files for individual modules.
• Upgrade to JUnit 5.10.3.
• Upgrade to extra-java-module-info 1.8.
• Upgrade to grGit 5.2.2.
• Upgrade to JUnit 5.10.2.
• Upgrade to Mozilla Rhino 1.7.15.
• Upgrade to xml-dtd 4.3.
• Upgrade Gradle wrapper to 8.9.
• CI: do not exclude any test.
• Run CI on Java 11 and 21.