cargo(deps): bump lol_html from 2.9.0 to 3.0.0

[dependabot]

Bumps lol_html from 2.9.0 to 3.0.0.

Release notes

Sourced from lol_html's releases.

v3.0.0

• Added MemorySettings::with_graceful_bail_out_on_memory_limit_exceeded(): when set, the rewriter flushes every input byte it has received but not yet emitted to the sink (as-is) before returning MemoryLimitExceededError, so callers can continue the response by writing subsequent bytes directly to their downstream sink instead of breaking it.
• Added Settings::with_graceful_bail_out_on_content_handler_error(): symmetric to the memory setting above, but for RewritingError::ContentHandlerError. When set, the rewriter flushes remaining input bytes before propagating a handler error, preserving the response. Currently exposed via the Rust API only; the C API still uses the original behavior.
• Added Settings::append_bail_out_handler() and the matching bail_out! macro, BailOut rewritable unit, and BailOutHandler / BailOutHandlerSend type aliases. Bail-out handlers fire immediately before the raw flush of remaining unparsed input on a graceful bail-out (memory or content-handler error). Handlers receive the RewritingError and a BailOut through which they can append final bytes to the sink via BailOut::append(content, content_type). Intended for handlers that buffer state across the document (e.g. text-buffering handlers that defer emission) and need to flush that state on bail-out.
• Marked RewritingError #[non_exhaustive] so future error variants can be added without a major version bump. External callers can still match on it, but must include a catch-all _ => arm.
• Reworked Settings, MemorySettings and RewriteStrSettings to use a consuming-builder API. Fields are now private; construction is via ::new() plus chained with_* setters and append_* methods for the content-handler vectors. This makes future field additions non-breaking. Migration:

  // before
  Settings {
      element_content_handlers: vec![element!("div", |el| { /* ... */ Ok(()) })],
      strict: false,
      ..Settings::new()
  }
  // after
  Settings::new()
      .with_strict(false)
      .append_element_content_handler(element!("div", |el| { /* ... */ Ok(()) }))

• Renamed the internal-use feature integration_test to _integration_test. The leading underscore signals to cargo-semver-checks and similar tools that the feature is not part of the public API.
• Comment::set_text now also rejects --!>, a leading >, and a leading ->, which WHATWG-conformant browsers treat as comment terminators. Previously only --> was rejected, so a caller passing attacker-influenced data could let an attacker break out of the comment and inject HTML (security fix).

Changelog

Sourced from lol_html's changelog.

v3.0.0

• Added MemorySettings::with_graceful_bail_out_on_memory_limit_exceeded(): when set, the rewriter flushes every input byte it has received but not yet emitted to the sink (as-is) before returning MemoryLimitExceededError, so callers can continue the response by writing subsequent bytes directly to their downstream sink instead of breaking it.
• Added Settings::with_graceful_bail_out_on_content_handler_error(): symmetric to the memory setting above, but for RewritingError::ContentHandlerError. When set, the rewriter flushes remaining input bytes before propagating a handler error, preserving the response. Currently exposed via the Rust API only; the C API still uses the original behavior.
• Added Settings::append_bail_out_handler() and the matching bail_out! macro, BailOut rewritable unit, and BailOutHandler / BailOutHandlerSend type aliases. Bail-out handlers fire immediately before the raw flush of remaining unparsed input on a graceful bail-out (memory or content-handler error). Handlers receive the RewritingError and a BailOut through which they can append final bytes to the sink via BailOut::append(content, content_type). Intended for handlers that buffer state across the document (e.g. text-buffering handlers that defer emission) and need to flush that state on bail-out.
• Marked RewritingError #[non_exhaustive] so future error variants can be added without a major version bump. External callers can still match on it, but must include a catch-all _ => arm.
• Reworked Settings, MemorySettings and RewriteStrSettings to use a consuming-builder API. Fields are now private; construction is via ::new() plus chained with_* setters and append_* methods for the content-handler vectors. This makes future field additions non-breaking. Migration:

  // before
  Settings {
      element_content_handlers: vec![element!("div", |el| { /* ... */ Ok(()) })],
      strict: false,
      ..Settings::new()
  }
  // after
  Settings::new()
      .with_strict(false)
      .append_element_content_handler(element!("div", |el| { /* ... */ Ok(()) }))

• Renamed the internal-use feature integration_test to _integration_test. The leading underscore signals to cargo-semver-checks and similar tools that the feature is not part of the public API.
• Comment::set_text now also rejects --!>, a leading >, and a leading ->, which WHATWG-conformant browsers treat as comment terminators. Previously only --> was rejected, so a caller passing attacker-influenced data could let an attacker break out of the comment and inject HTML (security fix).

Commits

• 02f139c Add bail-out handler API for flushing buffered state on graceful bail-out.
• ba25359 Reject all browser-recognized comment-closing sequences in Comment::set_text.
• b00626a Convert settings structs to consuming builders.
• 776b44a Rename integration_test feature to _integration_test.
• e97d16c Bump to v3.0.0.
• 31ed2fa Allow rewriter to gracefully bail out on content handler errors.
• 3674c38 Allow rewriter to gracefully bail out on memory limit exceeded.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.