lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi everyone,

As a developer of probably one of the largest projects depending on
LuaExpat, I've just taken maintainership of the module, which has been
untended for a few years now.

This release brings a minimal number of API changes, in fact just
enough for an application to prevent what has become known as the
"billion laughs" attack. This attack is of importance to anyone
processing XML from untrusted sources - successfully exploiting it
causes the parser to consume large amounts of CPU and RAM, effectively
a denial of service against the process and sometimes the machine.
More information at:

The 1.2.0 tarball can be found at
Fabio has already pushed the release into the LuaRocks repository.

LuaExpat also now has a source repository at

In the long term I plan to extend the API to make it a little more
complete, like adding the remaining missing callbacks and allowing
resume after parser:stop(). Any suggestions or feedback welcome here
or direct to me.


PS. I nearly forgot: Expat is an XML parsing library. XML is an
extensible markup language. Laughter is... never mind.