Security: XPath json-doc() Arbitrary File Read Bypass ( Similar fix as CVE-2026-29039 )

Author: dgtlmoon

changedetectionio/html_tools.py

@@ -70,6 +70,12 @@ def __init__(self, msg):
     'unparsed-text-available',
     'doc',
     'doc-available',
+    'json-doc',
+    'json-doc-available',
+    'collection',           # XPath 2.0+: loads XML node collections from arbitrary URIs
+    'uri-collection',       # XPath 3.0+: enumerates URIs from resource collections
+    'transform',            # XPath 3.1: XSLT transformation (currently raises, block proactively)
+    'load-xquery-module',   # XPath 3.1: loads XQuery modules (currently raises, block proactively)
     'environment-variable',
     'available-environment-variables',
 ]

changedetectionio/tests/test_xpath_selector.py

@@ -610,6 +610,11 @@ def test_xpath_blocked_functions_unit():
         "unparsed-text-available('file:///etc/passwd')",
         "doc('file:///etc/passwd')",
         "doc-available('file:///etc/passwd')",
+        "json-doc('file:///datastore/changedetection.json')",
+        "collection('file:///datastore/')",
+        "uri-collection('file:///datastore/')",
+        "transform(map{})",
+        "load-xquery-module('foo')",
         "environment-variable('PATH')",
         "available-environment-variables()",
     ]