dep: update libxml2 to 2.13.0 and libxslt to 1.1.40

[flavorjones]

What problem is this PR intended to solve?

• https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.0
• https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.40

[flavorjones]

Looks like we need to wait for a companion libxslt release with GNOME/libxslt@75967fc0 to address the compilation issues.

[flavorjones]

Added libxslt upgrade to 1.1.40 to this PR

[flavorjones]

@rgrove Take note that sanitize is going to have some test failures once this makes it into a release (likely v1.17.0 later in the summer):

https://github.com/sparklemotion/nokogiri/actions/runs/9487728125/job/26145008195?pr=3230

  1) Failure:
Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0002_should not allow obviously invalid doctype declarations in documents [/__w/nokogiri/nokogiri/sanitize/test/test_clean_doctype.rb:47]:
--- expected
+++ actual
@@ -1 +1 @@
-"<!DOCTYPE html><html>foo</html>"
+"<!DOCTYPE blah><html>foo</html>"

[rgrove]

@rgrove Take note that sanitize is going to have some test failures once this makes it into a release (likely v1.17.0 later in the summer)

Thanks for the heads up! I'll look into this.

[flavorjones]

@rgrove Hmm, I'm digging in and something weird is going on, it's not Sanitize.

[flavorjones]

@rgrove Ahhhh ... GNOME/libxml2@a3713f78

Disallow xmlNodeSetName on DTD nodes. DTD nodes don't store the name in a dictionary. Calling xmlNodeSetName with a DTD node could result in an invalid free.

[rgrove]

Fun! So it looks like Sanitize may need a small change after all. 🙂

[flavorjones]

The downstream Mechanize test failure is due to GNOME/libxml2@8d0aaf4

Not totally sure what the relationship is between the change and the behavior, but I'm also not totally sure I care, we've seen edge case encoding changes like this before and the Mechanize test in question is more descriptive than prescriptive ... sigh. I'll probably just change the test.

[flavorjones]

Ah, this is because Mechanize's encoding_error? method is checking the error message contents ... blurgh. Will update that and I think it should be fine.

[flavorjones]

See sparklemotion/mechanize#644

[flavorjones]

I've opened rgrove/sanitize#238 on sanitize as a potential workaround for the DTD name-change limitation.

[flavorjones]

The failure showing up on freebsd is because my upstream fix from #1941 shipped in v2.13.0! Removing the patch in patches/libxml2/0003-libxml2.la-is-in-top_builddir.patch! 🚀