diff --git a/README.md b/README.md index abdf69b0..e6249953 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # OWASP Java HTML Sanitizer -[](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=master)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=master) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer) +[](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=main)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=main) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer) A fast and easy to configure HTML Sanitizer written in Java which lets @@ -35,7 +35,7 @@ how to get started with or without Maven. ## Prepackaged Policies You can use -[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/Sanitizers.html): +[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html): ```Java PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS); @@ -45,9 +45,9 @@ String safeHTML = policy.sanitize(untrustedHTML); ## Crafting a policy The -[tests](https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java) +[tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java) show how to configure your own -[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlPolicyBuilder.html): +[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html): ```Java PolicyFactory policy = new HtmlPolicyBuilder() @@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML); ## Custom Policies You can write -[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/ElementPolicy.html) +[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/ElementPolicy.html) to do things like changing `h1`s to `div`s with a certain class: ```Java @@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()` method if you want them to be allowed through the filter when these elements do not include any attributes. -[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks. +[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks. ```Java new HtmlPolicyBuilder = new HtmlPolicyBuilder() @@ -153,7 +153,7 @@ of the output. ## Telemetry -When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlChangeListener.html). +When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlChangeListener.html). You can use this to keep track of policy violation trends and find out when someone is making an effort to breach your security. @@ -187,7 +187,7 @@ used HTML parsers will agree on the meaning of, but the absence of notifications does not mean that the input is in such a sub-set, only that it does not contain elements or attributes that were removed. -See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md) for more on this topic. +See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/main/docs/html-validation.md) for more on this topic. ## Questions? @@ -206,7 +206,7 @@ We welcome [issue reports](https://github.com/OWASP/java-html-sanitizer/issues) PRs that change behavior or that add functionality should include both positive and [negative tests](https://www.guru99.com/negative-testing.html). -Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/master/COPYING). +Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/main/COPYING). ## Credits diff --git a/RELEASE-checklist.sh b/RELEASE-checklist.sh index 9315800d..57e611ba 100644 --- a/RELEASE-checklist.sh +++ b/RELEASE-checklist.sh @@ -16,7 +16,7 @@ mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f aggregate echo echo Browse to echo "file://$PWD/target/site" -echo and check the findbugs and jacoco reports. +echo and check the spotbugs and jacoco reports. echo echo Check https://central.sonatype.org/pages/apache-maven.html#nexus-staging-maven-plugin-for-deployment-and-release @@ -92,7 +92,7 @@ find . -name pom.xml \ git commit -am "Bumped dev version" -git push origin master --tags +git push origin main --tags # Now Release echo '1. Go to oss.sonatype.org' diff --git a/aggregate/pom.xml b/aggregate/pom.xml index 2673aa37..1fc1a84e 100644 --- a/aggregate/pom.xml +++ b/aggregate/pom.xml @@ -3,12 +3,12 @@ com.googlecode.owasp-java-html-sanitizer aggregate pom - 20191001.2-SNAPSHOT + 20220608.2-SNAPSHOT ../parent com.googlecode.owasp-java-html-sanitizer parent - 20191001.2-SNAPSHOT + 20220608.2-SNAPSHOT diff --git a/change_log.md b/change_log.md index 6f2aa79f..04324a49 100644 --- a/change_log.md +++ b/change_log.md @@ -1,13 +1,30 @@ # OWASP Java HTML Sanitizer Change Log - - Additional detail can be found at https://github.com/OWASP/java-html-sanitizer/releases -. + +Most recent at top. + * Release 20220608.1 + * Fix bugs in CSS tokenization + * Fix deocding of HTML character references that lack semicolons + like `¶` in HTML attribute values that affected + URL query parameters. * Release 20211018.2 - * Changes how we avoid problems with special tags inside <select> elements. We recommend using this version over v20211018.1. + * Tweak how we address CVE-2021-42575 to be more tailored and to + interfere less with `" + + "" + + ""; + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("option", "select", "style", "svg") + .allowTextIn("style") + .toFactory(); + assertEquals( + "" + + "" + + "" + + "" + + "" + + "", + pf.sanitize(input) + ); + } + + @Test + public static final void testSelectIsOdd() { + // Special text modes interact badly with select and option + String input = ""; + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("option", "select", "xmp") + .allowTextIn("xmp", "option") + .toFactory(); + assertEquals( + "" + + "", + pf.sanitize(input) + ); + } + + @Test + public static final void testOptionAllowsText() { + String input = ""; + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("option", "select", "pre") + .allowTextIn("pre", "option") + .toFactory(); + assertEquals( + "" + + "", + pf.sanitize(input) + ); + } + + @Test + public static final void testStyleGlobally() { + PolicyFactory policyBuilder = new HtmlPolicyBuilder() + .allowAttributes("style").globally() + .allowElements("a", "label", "h1", "h2", "h3", "h4", "h5", "h6") + .toFactory(); + String input = "

This is some green text

"; + String want = "

This is some green text

"; + assertEquals(want, policyBuilder.sanitize(input)); + } + static int fac(int n) { int ifac = 1; for (int i = 1; i <= n; ++i) { int ifacp = ifac * i; - if (ifacp < ifac) { throw new IllegalArgumentException("undeflow"); } + if (ifacp < ifac) { throw new IllegalArgumentException("underflow"); } ifac = ifacp; } return ifac; diff --git a/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java b/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java index 004e95cd..38a854ef 100644 --- a/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java +++ b/src/test/java/org/owasp/html/TagBalancingHtmlStreamRendererTest.java @@ -158,7 +158,9 @@ public final void testTextContent() { + "

Hello,

" + "

Hello" // Text allowed in special style tag. - + "

" + + "" // Whitespace allowed inside