Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New methods for excluding elements with specific missing or empty attributes #45

Open
wants to merge 30 commits into
base: master
Choose a base branch
from

Commits on Oct 9, 2015

  1. +Added HtmlPolicyBuilder methods for excluding elements with specific…

    … missing or emtpy attributes
    
    +Removed AutoCloseableHtmlStreamRenderer for Java SE 6 compatibility
    Sebastian Uecker committed Oct 9, 2015
    Configuration menu
    Copy the full SHA
    73b68bc View commit details
    Browse the repository at this point in the history
  2. Reverted changes

    Sebastian Uecker committed Oct 9, 2015
    Configuration menu
    Copy the full SHA
    e75d980 View commit details
    Browse the repository at this point in the history
  3. added methods for excluding elements with specific empty or missing a…

    …ttributes or elements that do NOT match a pattern
    Sebastian Uecker committed Oct 9, 2015
    Configuration menu
    Copy the full SHA
    ea02e71 View commit details
    Browse the repository at this point in the history

Commits on Nov 9, 2015

  1. Added TestCase for disallowWithoutAttribute()

    Sebastian Uecker committed Nov 9, 2015
    Configuration menu
    Copy the full SHA
    2537933 View commit details
    Browse the repository at this point in the history

Commits on Jun 15, 2020

  1. Configuration menu
    Copy the full SHA
    e6dd2ea View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    f3f56d4 View commit details
    Browse the repository at this point in the history
  3. Bumped dev version

    mikesamuel committed Jun 15, 2020
    Configuration menu
    Copy the full SHA
    fd6b2dd View commit details
    Browse the repository at this point in the history

Commits on Jul 13, 2020

  1. Do not lcase element or attribute names that match SVG or MathML name… (

    OWASP#206)
    
    * Do not lcase element or attribute names that match SVG or MathML names exactly
    
    > Currently all names are converted to lowercase which is ok when
    > you're using it for HTML only, but if there is an SVG image nested
    > inside the HTML it breaks.  For example, when `viewBox` attribute is
    > converted to `viewbox` the image is not displayed correctly.
    
    This commit splits *HtmlLexer*.*canonicalName* into variants which preserve
    items on whitelists derived from the SVG and MathML specifications, and
    adjusts callers of *canonicalName* to use the appropriate variant.
    
    Fixes OWASP#182
    
    * add unittests for mixed-case SVG names
    mikesamuel authored Jul 13, 2020
    Configuration menu
    Copy the full SHA
    eb6ef02 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    25c3d64 View commit details
    Browse the repository at this point in the history
  3. Bumped dev version

    mikesamuel committed Jul 13, 2020
    Configuration menu
    Copy the full SHA
    ffe5cfa View commit details
    Browse the repository at this point in the history
  4. Configuration menu
    Copy the full SHA
    c7db2d4 View commit details
    Browse the repository at this point in the history
  5. s/master/main/ in doc URLs

    mikesamuel committed Jul 13, 2020
    Configuration menu
    Copy the full SHA
    ca40697 View commit details
    Browse the repository at this point in the history

Commits on Dec 7, 2020

  1. Bump junit from 4.12 to 4.13.1 in /parent (OWASP#215)

    Bumps [junit](https://github.com/junit-team/junit4) from 4.12 to 4.13.1.
    - [Release notes](https://github.com/junit-team/junit4/releases)
    - [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.12.md)
    - [Commits](junit-team/junit4@r4.12...r4.13.1)
    
    Signed-off-by: dependabot[bot] <[email protected]>
    
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Dec 7, 2020
    Configuration menu
    Copy the full SHA
    af0ca83 View commit details
    Browse the repository at this point in the history

Commits on Dec 9, 2020

  1. hsl and hsla (OWASP#216)

    aakritisi authored Dec 9, 2020
    Configuration menu
    Copy the full SHA
    acaf3f2 View commit details
    Browse the repository at this point in the history

Commits on Dec 14, 2020

  1. Configuration menu
    Copy the full SHA
    33d319f View commit details
    Browse the repository at this point in the history

Commits on Dec 21, 2020

  1. Fixed allowAtributes("style").globally() (OWASP#218)

    * allowAtributes("style")
    
    * Global style test
    aakritisi authored Dec 21, 2020
    Configuration menu
    Copy the full SHA
    020d5d0 View commit details
    Browse the repository at this point in the history

Commits on May 13, 2021

  1. Upgrade to a modern guava dependency

    This may still be overridden with `-Dguava-version=...`.
    mikesamuel committed May 13, 2021
    Configuration menu
    Copy the full SHA
    ad287c3 View commit details
    Browse the repository at this point in the history

Commits on Oct 18, 2021

  1. Render style tag content more strictly.

    This addresses a vulnerability where policies that allow `<style>`
    elements with text in `<option>` elements are vulnerable to XSS as
    disclosed in
    
    https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit?usp=sharing
    
    This changes behavior for rendering of `<style>` element text so may
    change behavior.
    
    Specifically, `<style>` element text that includes the strings `-->`
    or `]]>` will no longer sanitize.
    mikesamuel committed Oct 18, 2021
    Configuration menu
    Copy the full SHA
    be33ec6 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    374ea2f View commit details
    Browse the repository at this point in the history
  3. Bumped dev version

    mikesamuel committed Oct 18, 2021
    Configuration menu
    Copy the full SHA
    7d76ba9 View commit details
    Browse the repository at this point in the history
  4. Update vulnerabilities.md

    mikesamuel authored Oct 18, 2021
    Configuration menu
    Copy the full SHA
    e2b29e8 View commit details
    Browse the repository at this point in the history
  5. Recognize that <style> is not really workable inside <select>

    Rather than mucking with `<style>` tag content in all cases, this is a more
    tailored fix to the recent vulnerability that just closes `<style>` elements
    when we realize they're in a dodgy parsing context.
    mikesamuel committed Oct 18, 2021
    Configuration menu
    Copy the full SHA
    14f84fd View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    62a0715 View commit details
    Browse the repository at this point in the history
  7. Bumped dev version

    mikesamuel committed Oct 18, 2021
    Configuration menu
    Copy the full SHA
    06b299c View commit details
    Browse the repository at this point in the history

Commits on Jun 8, 2022

  1. Decode attribute content differently from text node content (OWASP#255)

    As described in issue OWASP#254 `&para` is a full complete character
    reference when decoding text node content, but not when
    decoding attribute content which causes problems for URL attribute
    values like
    
        /test?param1=foo&param2=bar
    
    As shown via JS test code in that issue, a small set of
    next characters prevent a character reference name match
    from being considered complete.
    
    This commit:
    - modifies the decode functions to take an extra parameter
      `boolean inAttribute`, and modifies the Trie traversal
      loops to not store a longest match so far based on that
      parameter and some next character tests
    - modifies the HTML lexer to pass that attribute appropriately
    - for backwards compat, leaves the old APIs in place but `@deprecated`
    - adds unit tests for the decode functions
    - adds a unit test for the specific input from the issue
    
    This change should make us more conformant with observed
    browser behaviour so is not expected to cause compatibility
    problems for existing users.
    
    Fixes OWASP#254
    mikesamuel authored Jun 8, 2022
    Configuration menu
    Copy the full SHA
    5372c74 View commit details
    Browse the repository at this point in the history
  2. Fix missing null checks in uses of consumeIdentOrUrlOrFunctions (OWAS…

    …P#266)
    
    CssTokens code assumed that consumeIdentOrUrlOrFunctions always
    returned a token type and consumed characters.
    
    This commit audits all uses of that function and checks that
    they make progress.
    mikesamuel authored Jun 8, 2022
    Configuration menu
    Copy the full SHA
    c2c74fc View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    e35ef4f View commit details
    Browse the repository at this point in the history
  4. Bumped dev version

    mikesamuel committed Jun 8, 2022
    Configuration menu
    Copy the full SHA
    3756979 View commit details
    Browse the repository at this point in the history

Commits on Nov 29, 2022

  1. Configuration menu
    Copy the full SHA
    0372f4f View commit details
    Browse the repository at this point in the history

Commits on Jan 5, 2023

  1. Configuration menu
    Copy the full SHA
    ccb4c18 View commit details
    Browse the repository at this point in the history