-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New methods for excluding elements with specific missing or empty attributes #45
base: master
Are you sure you want to change the base?
Commits on Oct 9, 2015
-
+Added HtmlPolicyBuilder methods for excluding elements with specific…
… missing or emtpy attributes +Removed AutoCloseableHtmlStreamRenderer for Java SE 6 compatibility
Sebastian Uecker committedOct 9, 2015 Configuration menu - View commit details
-
Copy full SHA for 73b68bc - Browse repository at this point
Copy the full SHA 73b68bcView commit details -
Sebastian Uecker committed
Oct 9, 2015 Configuration menu - View commit details
-
Copy full SHA for e75d980 - Browse repository at this point
Copy the full SHA e75d980View commit details -
added methods for excluding elements with specific empty or missing a…
…ttributes or elements that do NOT match a pattern
Sebastian Uecker committedOct 9, 2015 Configuration menu - View commit details
-
Copy full SHA for ea02e71 - Browse repository at this point
Copy the full SHA ea02e71View commit details
Commits on Nov 9, 2015
-
Added TestCase for disallowWithoutAttribute()
Sebastian Uecker committedNov 9, 2015 Configuration menu - View commit details
-
Copy full SHA for 2537933 - Browse repository at this point
Copy the full SHA 2537933View commit details
Commits on Jun 15, 2020
-
Configuration menu - View commit details
-
Copy full SHA for e6dd2ea - Browse repository at this point
Copy the full SHA e6dd2eaView commit details -
Configuration menu - View commit details
-
Copy full SHA for f3f56d4 - Browse repository at this point
Copy the full SHA f3f56d4View commit details -
Configuration menu - View commit details
-
Copy full SHA for fd6b2dd - Browse repository at this point
Copy the full SHA fd6b2ddView commit details
Commits on Jul 13, 2020
-
Do not lcase element or attribute names that match SVG or MathML name… (
OWASP#206) * Do not lcase element or attribute names that match SVG or MathML names exactly > Currently all names are converted to lowercase which is ok when > you're using it for HTML only, but if there is an SVG image nested > inside the HTML it breaks. For example, when `viewBox` attribute is > converted to `viewbox` the image is not displayed correctly. This commit splits *HtmlLexer*.*canonicalName* into variants which preserve items on whitelists derived from the SVG and MathML specifications, and adjusts callers of *canonicalName* to use the appropriate variant. Fixes OWASP#182 * add unittests for mixed-case SVG names
Configuration menu - View commit details
-
Copy full SHA for eb6ef02 - Browse repository at this point
Copy the full SHA eb6ef02View commit details -
Configuration menu - View commit details
-
Copy full SHA for 25c3d64 - Browse repository at this point
Copy the full SHA 25c3d64View commit details -
Configuration menu - View commit details
-
Copy full SHA for ffe5cfa - Browse repository at this point
Copy the full SHA ffe5cfaView commit details -
Configuration menu - View commit details
-
Copy full SHA for c7db2d4 - Browse repository at this point
Copy the full SHA c7db2d4View commit details -
Configuration menu - View commit details
-
Copy full SHA for ca40697 - Browse repository at this point
Copy the full SHA ca40697View commit details
Commits on Dec 7, 2020
-
Bump junit from 4.12 to 4.13.1 in /parent (OWASP#215)
Bumps [junit](https://github.com/junit-team/junit4) from 4.12 to 4.13.1. - [Release notes](https://github.com/junit-team/junit4/releases) - [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.12.md) - [Commits](junit-team/junit4@r4.12...r4.13.1) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for af0ca83 - Browse repository at this point
Copy the full SHA af0ca83View commit details
Commits on Dec 9, 2020
-
Configuration menu - View commit details
-
Copy full SHA for acaf3f2 - Browse repository at this point
Copy the full SHA acaf3f2View commit details
Commits on Dec 14, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 33d319f - Browse repository at this point
Copy the full SHA 33d319fView commit details
Commits on Dec 21, 2020
-
Fixed allowAtributes("style").globally() (OWASP#218)
* allowAtributes("style") * Global style test
Configuration menu - View commit details
-
Copy full SHA for 020d5d0 - Browse repository at this point
Copy the full SHA 020d5d0View commit details
Commits on May 13, 2021
-
Upgrade to a modern guava dependency
This may still be overridden with `-Dguava-version=...`.
Configuration menu - View commit details
-
Copy full SHA for ad287c3 - Browse repository at this point
Copy the full SHA ad287c3View commit details
Commits on Oct 18, 2021
-
Render style tag content more strictly.
This addresses a vulnerability where policies that allow `<style>` elements with text in `<option>` elements are vulnerable to XSS as disclosed in https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit?usp=sharing This changes behavior for rendering of `<style>` element text so may change behavior. Specifically, `<style>` element text that includes the strings `-->` or `]]>` will no longer sanitize.
Configuration menu - View commit details
-
Copy full SHA for be33ec6 - Browse repository at this point
Copy the full SHA be33ec6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 374ea2f - Browse repository at this point
Copy the full SHA 374ea2fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7d76ba9 - Browse repository at this point
Copy the full SHA 7d76ba9View commit details -
Configuration menu - View commit details
-
Copy full SHA for e2b29e8 - Browse repository at this point
Copy the full SHA e2b29e8View commit details -
Recognize that
<style>
is not really workable inside<select>
Rather than mucking with `<style>` tag content in all cases, this is a more tailored fix to the recent vulnerability that just closes `<style>` elements when we realize they're in a dodgy parsing context.
Configuration menu - View commit details
-
Copy full SHA for 14f84fd - Browse repository at this point
Copy the full SHA 14f84fdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 62a0715 - Browse repository at this point
Copy the full SHA 62a0715View commit details -
Configuration menu - View commit details
-
Copy full SHA for 06b299c - Browse repository at this point
Copy the full SHA 06b299cView commit details
Commits on Jun 8, 2022
-
Decode attribute content differently from text node content (OWASP#255)
As described in issue OWASP#254 `¶` is a full complete character reference when decoding text node content, but not when decoding attribute content which causes problems for URL attribute values like /test?param1=foo¶m2=bar As shown via JS test code in that issue, a small set of next characters prevent a character reference name match from being considered complete. This commit: - modifies the decode functions to take an extra parameter `boolean inAttribute`, and modifies the Trie traversal loops to not store a longest match so far based on that parameter and some next character tests - modifies the HTML lexer to pass that attribute appropriately - for backwards compat, leaves the old APIs in place but `@deprecated` - adds unit tests for the decode functions - adds a unit test for the specific input from the issue This change should make us more conformant with observed browser behaviour so is not expected to cause compatibility problems for existing users. Fixes OWASP#254
Configuration menu - View commit details
-
Copy full SHA for 5372c74 - Browse repository at this point
Copy the full SHA 5372c74View commit details -
Fix missing null checks in uses of consumeIdentOrUrlOrFunctions (OWAS…
…P#266) CssTokens code assumed that consumeIdentOrUrlOrFunctions always returned a token type and consumed characters. This commit audits all uses of that function and checks that they make progress.
Configuration menu - View commit details
-
Copy full SHA for c2c74fc - Browse repository at this point
Copy the full SHA c2c74fcView commit details -
Configuration menu - View commit details
-
Copy full SHA for e35ef4f - Browse repository at this point
Copy the full SHA e35ef4fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3756979 - Browse repository at this point
Copy the full SHA 3756979View commit details
Commits on Nov 29, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 0372f4f - Browse repository at this point
Copy the full SHA 0372f4fView commit details
Commits on Jan 5, 2023
-
Configuration menu - View commit details
-
Copy full SHA for ccb4c18 - Browse repository at this point
Copy the full SHA ccb4c18View commit details