Update lxml to 4.9.0

[pyup-bot]

This PR updates lxml from 4.6.2 to 4.9.0.

Changelog

4.8.0

==================

Features added
--------------

* GH337: Path-like objects are now supported throughout the API instead of just strings.
Patch by Henning Janssen.

* The ``ElementMaker`` now supports ``QName`` values as tags, which always override
the default namespace of the factory.

Bugs fixed
----------

* GH338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.
Patch by Tobias Deiminger.

Other changes
-------------

* Built with Cython 0.29.28.

4.7.1

==================

Features added
--------------

* Chunked Unicode string parsing via ``parser.feed()`` now encodes the input data
to the native UTF-8 encoding directly, instead of going through ``Py_UNICODE`` /
``wchar_t`` encoding first, which previously required duplicate recoding in most cases.

Bugs fixed
----------

* The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
See https://mail.python.org/archives/list/lxmlpython.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/

* ``lxml.objectify`` previously accepted non-XML numbers with underscores (like "1_000")
as integers or float values in Python 3.6 and later. It now adheres to the number
format of the XML spec again.

* LP1939031: Static wheels of lxml now contain the header files of zlib and libiconv
(in addition to the already provided headers of libxml2/libxslt/libexslt).

Other changes
-------------

* Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).

4.7.0

==================

* Release retracted due to missing files in lxml/includes/.

4.6.5

==================

Bugs fixed
----------

* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
content through SVG images (CVE-2021-43818).

* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
content through CSS imports and other crafted constructs (CVE-2021-43818).

4.6.4

==================

Features added
--------------

* GH317: A new property ``system_url`` was added to DTD entities.
Patch by Thirdegree.

* GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars.
Patch by Isaac Jurado.

4.6.3

==================

Bugs fixed
----------

* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
which allowed JavaScript to pass through.  The cleaner now removes the HTML5
``formaction`` attribute.

Links

• PyPI: https://pypi.org/project/lxml
• Changelog: https://pyup.io/changelogs/lxml/
• Homepage: https://lxml.de/

[codecov]

Codecov Report

Merging #246 (482d3d7) into master (2060130) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #246   +/-   ##
=======================================
  Coverage   98.06%   98.06%           
=======================================
  Files          27       27           
  Lines        1293     1293           
=======================================
  Hits         1268     1268           
  Misses         25       25           

[pyup-bot]

Closing this in favor of #252