diff --git a/README.md b/README.md
index abdf69b0..e6249953 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# OWASP Java HTML Sanitizer
-[](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=master)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=master) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer)
+[](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=main)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=main) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer)
A fast and easy to configure HTML Sanitizer written in Java which lets
@@ -35,7 +35,7 @@ how to get started with or without Maven.
## Prepackaged Policies
You can use
-[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/Sanitizers.html):
+[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html):
```Java
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
@@ -45,9 +45,9 @@ String safeHTML = policy.sanitize(untrustedHTML);
## Crafting a policy
The
-[tests](https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
+[tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
show how to configure your own
-[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlPolicyBuilder.html):
+[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html):
```Java
PolicyFactory policy = new HtmlPolicyBuilder()
@@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
## Custom Policies
You can write
-[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/ElementPolicy.html)
+[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/ElementPolicy.html)
to do things like changing `h1`s to `div`s with a certain class:
```Java
@@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()`
method if you want them to be allowed through the filter when these
elements do not include any attributes.
-[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
+[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
```Java
new HtmlPolicyBuilder = new HtmlPolicyBuilder()
@@ -153,7 +153,7 @@ of the output.
## Telemetry
-When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlChangeListener.html).
+When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlChangeListener.html).
You can use this to keep track of policy violation trends and find out when someone
is making an effort to breach your security.
@@ -187,7 +187,7 @@ used HTML parsers will agree on the meaning of, but the absence of
notifications does not mean that the input is in such a sub-set,
only that it does not contain elements or attributes that were removed.
-See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md) for more on this topic.
+See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/main/docs/html-validation.md) for more on this topic.
## Questions?
@@ -206,7 +206,7 @@ We welcome [issue reports](https://github.com/OWASP/java-html-sanitizer/issues)
PRs that change behavior or that add functionality should include both positive and
[negative tests](https://www.guru99.com/negative-testing.html).
-Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/master/COPYING).
+Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/main/COPYING).
## Credits
diff --git a/RELEASE-checklist.sh b/RELEASE-checklist.sh
index 9315800d..57e611ba 100644
--- a/RELEASE-checklist.sh
+++ b/RELEASE-checklist.sh
@@ -16,7 +16,7 @@ mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f aggregate
echo
echo Browse to
echo "file://$PWD/target/site"
-echo and check the findbugs and jacoco reports.
+echo and check the spotbugs and jacoco reports.
echo
echo Check https://central.sonatype.org/pages/apache-maven.html#nexus-staging-maven-plugin-for-deployment-and-release
@@ -92,7 +92,7 @@ find . -name pom.xml \
git commit -am "Bumped dev version"
-git push origin master --tags
+git push origin main --tags
# Now Release
echo '1. Go to oss.sonatype.org'
diff --git a/aggregate/pom.xml b/aggregate/pom.xml
index 2673aa37..1fc1a84e 100644
--- a/aggregate/pom.xml
+++ b/aggregate/pom.xml
@@ -3,12 +3,12 @@
com.googlecode.owasp-java-html-sanitizeraggregatepom
- 20191001.2-SNAPSHOT
+ 20220608.2-SNAPSHOT../parentcom.googlecode.owasp-java-html-sanitizerparent
- 20191001.2-SNAPSHOT
+ 20220608.2-SNAPSHOT
diff --git a/change_log.md b/change_log.md
index 6f2aa79f..04324a49 100644
--- a/change_log.md
+++ b/change_log.md
@@ -1,13 +1,30 @@
# OWASP Java HTML Sanitizer Change Log
-
- Additional detail can be found at https://github.com/OWASP/java-html-sanitizer/releases
-.
+
+Most recent at top.
+ * Release 20220608.1
+ * Fix bugs in CSS tokenization
+ * Fix deocding of HTML character references that lack semicolons
+ like `¶` in HTML attribute values that affected
+ URL query parameters.
* Release 20211018.2
- * Changes how we avoid problems with special tags inside <select> elements. We recommend using this version over v20211018.1.
+ * Tweak how we address CVE-2021-42575 to be more tailored and to
+ interfere less with `"
+ + ""
+ + "";
+ PolicyFactory pf = new HtmlPolicyBuilder()
+ .allowElements("option", "select", "style", "svg")
+ .allowTextIn("style")
+ .toFactory();
+ assertEquals(
+ ""
+ + ""
+ + ""
+ + "",
+ pf.sanitize(input)
+ );
+ }
+
+ @Test
+ public static final void testSelectIsOdd() {
+ // Special text modes interact badly with select and option
+ String input = "";
+ PolicyFactory pf = new HtmlPolicyBuilder()
+ .allowElements("option", "select", "xmp")
+ .allowTextIn("xmp", "option")
+ .toFactory();
+ assertEquals(
+ ""
+ + "",
+ pf.sanitize(input)
+ );
+ }
+
+ @Test
+ public static final void testOptionAllowsText() {
+ String input = "";
+ PolicyFactory pf = new HtmlPolicyBuilder()
+ .allowElements("option", "select", "pre")
+ .allowTextIn("pre", "option")
+ .toFactory();
+ assertEquals(
+ ""
+ + "",
+ pf.sanitize(input)
+ );
+ }
+
+ @Test
+ public static final void testStyleGlobally() {
+ PolicyFactory policyBuilder = new HtmlPolicyBuilder()
+ .allowAttributes("style").globally()
+ .allowElements("a", "label", "h1", "h2", "h3", "h4", "h5", "h6")
+ .toFactory();
+ String input = "
This is some green text
";
+ String want = "
This is some green text
";
+ assertEquals(want, policyBuilder.sanitize(input));
+ }
+
static int fac(int n) {
int ifac = 1;
for (int i = 1; i <= n; ++i) {
int ifacp = ifac * i;
- if (ifacp < ifac) { throw new IllegalArgumentException("undeflow"); }
+ if (ifacp < ifac) { throw new IllegalArgumentException("underflow"); }
ifac = ifacp;
}
return ifac;
diff --git a/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java b/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java
index 004e95cd..38a854ef 100644
--- a/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java
+++ b/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java
@@ -158,7 +158,9 @@ public final void testTextContent() {
+ "
Hello,
"
+ "
Hello"
// Text allowed in special style tag.
- + "