Skip to content

Commit

Permalink
Release candidate 20240325.1
Browse files Browse the repository at this point in the history
  • Loading branch information
mikesamuel committed Mar 25, 2024
1 parent 98c137a commit dd8c6a4
Show file tree
Hide file tree
Showing 12 changed files with 47 additions and 22 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ how to get started with or without Maven.
## Prepackaged Policies

You can use
[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html):
[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html):

```Java
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
Expand All @@ -47,7 +47,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
The
[tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
show how to configure your own
[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html):
[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html):

```Java
PolicyFactory policy = new HtmlPolicyBuilder()
Expand All @@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
## Custom Policies

You can write
[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/ElementPolicy.html)
[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/ElementPolicy.html)
to do things like changing `h1`s to `div`s with a certain class:

```Java
Expand All @@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()`
method if you want them to be allowed through the filter when these
elements do not include any attributes.

[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.

```Java
new HtmlPolicyBuilder = new HtmlPolicyBuilder()
Expand Down Expand Up @@ -153,7 +153,7 @@ of the output.

## Telemetry

When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlChangeListener.html).
When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlChangeListener.html).

You can use this to keep track of policy violation trends and find out when someone
is making an effort to breach your security.
Expand Down
4 changes: 2 additions & 2 deletions aggregate/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>aggregate</artifactId>
<packaging>pom</packaging>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
<parent>
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<modules>
Expand Down
10 changes: 10 additions & 0 deletions change_log.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
# OWASP Java HTML Sanitizer Change Log

Most recent at top.
* Release 20240325.1
* Remove dependency on Guava
* Raise minimum supported JVM release to 8
* HTML: Avoid duplicate link `rel` values.
* HTML: Recognize foreign content syntactic context: `mathml` / `svg`.
* CSS: Better support for `font-size`, `overflow-wrap`, `word-break`.
* CSS: Better child combinator parsing.
* Bug: Fixed out of bounds when mixing global style attribute with others.
* Special thanks to (in lexicographic order):
Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk
* Release 20220608.1
* Fix bugs in CSS tokenization
* Fix deocding of HTML character references that lack semicolons
Expand Down
10 changes: 5 additions & 5 deletions docs/getting_started.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,16 @@ it to HTML.
The
[javadoc](http://javadoc.io/doc/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/)
covers more detailed topics, including
[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html).
[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html).

Important classes are:

* [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
* [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.
* [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
* [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.

For advanced use, see:
* [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
* [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.
* [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
* [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.

## Asking Questions

Expand Down
2 changes: 1 addition & 1 deletion docs/maven.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Bigger numbers are more recent and the [change log](../change_log.md)
can shed light on the salient differences.

You should be able to build with the HTML sanitizer. You can read the
[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/index.html),
[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/index.html),
and if you have questions that aren't answered by these wiki pages,
you can ask on the
[mailing list](http://groups.google.com/group/owasp-java-html-sanitizer-support).
Expand Down
4 changes: 2 additions & 2 deletions empiricism/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>html-types</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
<packaging>jar</packaging>
<parent>
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<name>empiricism</name>
Expand Down
4 changes: 2 additions & 2 deletions html-types/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>html-types</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
<packaging>bundle</packaging>
<parent>
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<name>OWASP Java HTML Sanitizer Safe HTML Compatibility</name>
Expand Down
11 changes: 9 additions & 2 deletions java10-shim/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<name>Java 10 Shim</name>
<description>
Provides an implementation of java8-shim that interoperates with
Java >= 10 idioms for immutable collections.
Java &gt;= 10 idioms for immutable collections.
</description>

<build>
Expand All @@ -24,6 +24,13 @@
<release>10</release>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<configuration>
<arguments>-Dmaven.javadoc.skip=true</arguments> <!-- No public classes -->
</configuration>
</plugin>
</plugins>
</build>

Expand Down
8 changes: 8 additions & 0 deletions java10-shim/src/main/java/org/owasp/shim/Notice.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package org.owasp.shim;

/**
* This bundle has no useful public classes as it serves only to provide an
* implementation class loaded reflectively. See Java8Shim for details.
*/
public class Notice {
}
2 changes: 1 addition & 1 deletion java8-shim/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<name>Java 8 Shim</name>
Expand Down
2 changes: 1 addition & 1 deletion owasp-java-html-sanitizer/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<relativePath>..</relativePath>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>
</parent>

<name>OWASP Java HTML Sanitizer</name>
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>parent</artifactId>
<version>20220608.2-SNAPSHOT</version>
<version>20240325.1</version>

<packaging>pom</packaging>

Expand Down

0 comments on commit dd8c6a4

Please sign in to comment.