From 7ab57ef4485023acaee3e593c257cfaa40b971a2 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dave.wichers@owasp.org>
Date: Mon, 10 Apr 2023 19:45:25 -0400
Subject: [PATCH 1/4] Change all imports to org.htmlunit and
 org.htmlunit.cyberneko as needed. Change uses of new AugmentationImpl() to
 just null. It now compiles, but fails horribly during testing.

---
 pom.xml                                       |  8 +++---
 .../html/scan/AntiSamyDOMScanner.java         |  4 +--
 .../html/scan/AntiSamySAXScanner.java         |  2 +-
 .../validator/html/scan/MagicSAXFilter.java   | 26 ++++++++++---------
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/pom.xml b/pom.xml
index a9ad8401..087bcf7f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -57,7 +57,7 @@
         <version.findsecbugs>1.12.0</version.findsecbugs>
         <version.io>2.11.0</version.io>
         <version.slf4j>2.0.7</version.slf4j>
-        <version.spotbugs.maven>4.7.3.3</version.spotbugs.maven>
+        <version.spotbugs.maven>4.7.3.4</version.spotbugs.maven>
         <version.spotbugs>4.7.3</version.spotbugs>
     </properties>
 
@@ -72,9 +72,9 @@
 
     <dependencies>
         <dependency>
-            <groupId>net.sourceforge.htmlunit</groupId>
+            <groupId>org.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <version>2.70.0</version>
+            <version>3.0.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
@@ -263,7 +263,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-enforcer-plugin</artifactId>
-                <version>3.2.1</version>
+                <version>3.3.0</version>
                 <dependencies>
                     <dependency>
                         <groupId>org.codehaus.mojo</groupId>
diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
index 318f509b..a5b9edab 100644
--- a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
@@ -32,9 +32,9 @@
 import java.util.concurrent.ConcurrentLinkedQueue;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import net.sourceforge.htmlunit.cyberneko.parsers.DOMFragmentParser;
-import net.sourceforge.htmlunit.xerces.dom.DocumentImpl;
 import org.apache.batik.css.parser.ParseException;
+import org.htmlunit.cyberneko.parsers.DOMFragmentParser;
+import org.htmlunit.cyberneko.xerces.dom.DocumentImpl;
 import org.owasp.validator.css.CssScanner;
 import org.owasp.validator.html.CleanResults;
 import org.owasp.validator.html.Policy;
diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
index 65cbe469..03837865 100644
--- a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
@@ -39,7 +39,7 @@
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.sax.SAXResult;
 import javax.xml.transform.sax.SAXSource;
-import net.sourceforge.htmlunit.cyberneko.parsers.SAXParser;
+import org.htmlunit.cyberneko.parsers.SAXParser;
 import org.owasp.validator.html.CleanResults;
 import org.owasp.validator.html.Policy;
 import org.owasp.validator.html.ScanException;
diff --git a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
index 8966b46f..17103689 100644
--- a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
+++ b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
@@ -26,16 +26,15 @@
 
 import java.util.*;
 import java.util.regex.Pattern;
-import net.sourceforge.htmlunit.cyberneko.filters.DefaultFilter;
-import net.sourceforge.htmlunit.xerces.util.AugmentationsImpl;
-import net.sourceforge.htmlunit.xerces.util.XMLAttributesImpl;
-import net.sourceforge.htmlunit.xerces.util.XMLStringBuffer;
-import net.sourceforge.htmlunit.xerces.xni.Augmentations;
-import net.sourceforge.htmlunit.xerces.xni.QName;
-import net.sourceforge.htmlunit.xerces.xni.XMLAttributes;
-import net.sourceforge.htmlunit.xerces.xni.XMLString;
-import net.sourceforge.htmlunit.xerces.xni.XNIException;
-import net.sourceforge.htmlunit.xerces.xni.parser.XMLDocumentFilter;
+import org.htmlunit.cyberneko.filters.DefaultFilter;
+import org.htmlunit.cyberneko.xerces.util.XMLAttributesImpl;
+import org.htmlunit.cyberneko.xerces.util.XMLStringBuffer;
+import org.htmlunit.cyberneko.xerces.xni.Augmentations;
+import org.htmlunit.cyberneko.xerces.xni.QName;
+import org.htmlunit.cyberneko.xerces.xni.XMLAttributes;
+import org.htmlunit.cyberneko.xerces.xni.XMLString;
+import org.htmlunit.cyberneko.xerces.xni.XNIException;
+import org.htmlunit.cyberneko.xerces.xni.parser.XMLDocumentFilter;
 import org.owasp.validator.css.CssScanner;
 import org.owasp.validator.html.CleanResults;
 import org.owasp.validator.html.InternalPolicy;
@@ -191,9 +190,12 @@ public void endElement(QName element, Augmentations augs) throws XNIException {
           // "text/css");
           // start the CSS element
 
-          super.startElement(element, cssAttributes, new AugmentationsImpl());
+          //          super.startElement(element, cssAttributes, new AugmentationsImpl());
+          super.startElement(element, cssAttributes, null);
           // send the cleaned content
-          super.characters(new XMLStringBuffer(results.getCleanHTML()), new AugmentationsImpl());
+          //          super.characters(new XMLStringBuffer(results.getCleanHTML()), new
+          // AugmentationsImpl());
+          super.characters(new XMLStringBuffer(results.getCleanHTML()), null);
           // end the CSS element
           super.endElement(element, augs);
         }

From 0f46eafb5a01bc9e5d1cb8f78d0f20176c0cfe74 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dave.wichers@owasp.org>
Date: Tue, 11 Apr 2023 19:37:03 -0400
Subject: [PATCH 2/4] Update per suggestions from nekohtml maintainer in his PR
 Neko3 #322.

---
 pom.xml                                       |  2 +-
 .../html/scan/AbstractAntiSamyScanner.java    | 33 +++++++--------
 .../html/scan/AntiSamyDOMScanner.java         | 40 ++++++++++---------
 .../html/scan/AntiSamySAXScanner.java         |  4 +-
 .../validator/html/scan/MagicSAXFilter.java   | 40 +++++++++----------
 5 files changed, 60 insertions(+), 59 deletions(-)

diff --git a/pom.xml b/pom.xml
index 087bcf7f..38915b68 100644
--- a/pom.xml
+++ b/pom.xml
@@ -74,7 +74,7 @@
         <dependency>
             <groupId>org.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <version>3.0.0</version>
+            <version>3.1.0-SNAPSHOT</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
diff --git a/src/main/java/org/owasp/validator/html/scan/AbstractAntiSamyScanner.java b/src/main/java/org/owasp/validator/html/scan/AbstractAntiSamyScanner.java
index 9de704b1..31eafc23 100644
--- a/src/main/java/org/owasp/validator/html/scan/AbstractAntiSamyScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AbstractAntiSamyScanner.java
@@ -1,25 +1,26 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met:
  *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- * Neither the name of OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+ * Redistributions of source code must retain the above copyright notice, this list of conditions
+ * and the following disclaimer. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. Neither the name of OWASP nor the names of its
+ * contributors may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 package org.owasp.validator.html.scan;
diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
index a5b9edab..420e8e41 100644
--- a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
@@ -1,26 +1,28 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met:
  *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- * Neither the name of OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+ * Redistributions of source code must retain the above copyright notice, this list of conditions
+ * and the following disclaimer. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. Neither the name of OWASP nor the names of its
+ * contributors may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.validator.html.scan;
 
 import java.io.IOException;
@@ -224,11 +226,13 @@ static DOMFragmentParser getDomParser()
     parser.setFeature("http://cyberneko.org/html/features/scanner/style/strip-cdata-delims", false);
     parser.setFeature("http://cyberneko.org/html/features/scanner/cdata-sections", true);
 
+    // cyberneko author removed this block. Why?
     try {
       parser.setFeature("http://cyberneko.org/html/features/enforce-strict-attribute-names", true);
     } catch (SAXNotRecognizedException se) {
-      // this indicates that the patched nekohtml is not on the
-      // classpath
+      // this indicates that the patched nekohtml is not on the classpath
+      System.out.println(
+          "DRW: SAXNotRecognizedException for \"http://cyberneko.org/html/features/enforce-strict-attribute-names");
     }
     return parser;
   }
diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
index 03837865..287cfeb6 100644
--- a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
@@ -267,8 +267,6 @@ private static SAXParser getParser() {
       parser.setFeature("http://xml.org/sax/features/namespaces", false);
       parser.setFeature("http://cyberneko.org/html/features/balance-tags/document-fragment", true);
       parser.setFeature("http://cyberneko.org/html/features/scanner/cdata-sections", true);
-      parser.setFeature("http://apache.org/xml/features/scanner/notify-char-refs", true);
-      parser.setFeature("http://apache.org/xml/features/scanner/notify-builtin-refs", true);
 
       parser.setProperty("http://cyberneko.org/html/properties/names/elems", "lower");
       return parser;
diff --git a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
index 17103689..bb541de1 100644
--- a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
+++ b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java
@@ -1,25 +1,26 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met:
  *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- * Neither the name of OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+ * Redistributions of source code must retain the above copyright notice, this list of conditions
+ * and the following disclaimer. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. Neither the name of OWASP nor the names of its
+ * contributors may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 package org.owasp.validator.html.scan;
@@ -190,12 +191,9 @@ public void endElement(QName element, Augmentations augs) throws XNIException {
           // "text/css");
           // start the CSS element
 
-          //          super.startElement(element, cssAttributes, new AugmentationsImpl());
-          super.startElement(element, cssAttributes, null);
+          super.startElement(element, cssAttributes, augs);
           // send the cleaned content
-          //          super.characters(new XMLStringBuffer(results.getCleanHTML()), new
-          // AugmentationsImpl());
-          super.characters(new XMLStringBuffer(results.getCleanHTML()), null);
+          super.characters(new XMLStringBuffer(results.getCleanHTML()), augs);
           // end the CSS element
           super.endElement(element, augs);
         }

From d8a8a20bd4dbb104c438dab8a31d6486f4c963f0 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dave.wichers@owasp.org>
Date: Tue, 11 Apr 2023 20:42:29 -0400
Subject: [PATCH 3/4] Fix test cases to now pass and other minor cleanup in the
 test class.

---
 .../html/scan/AntiSamyDOMScanner.java         |   8 --
 .../validator/html/test/AntiSamyTest.java     | 128 ++++++++----------
 2 files changed, 57 insertions(+), 79 deletions(-)

diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
index 420e8e41..2ac7264d 100644
--- a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
+++ b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java
@@ -226,14 +226,6 @@ static DOMFragmentParser getDomParser()
     parser.setFeature("http://cyberneko.org/html/features/scanner/style/strip-cdata-delims", false);
     parser.setFeature("http://cyberneko.org/html/features/scanner/cdata-sections", true);
 
-    // cyberneko author removed this block. Why?
-    try {
-      parser.setFeature("http://cyberneko.org/html/features/enforce-strict-attribute-names", true);
-    } catch (SAXNotRecognizedException se) {
-      // this indicates that the patched nekohtml is not on the classpath
-      System.out.println(
-          "DRW: SAXNotRecognizedException for \"http://cyberneko.org/html/features/enforce-strict-attribute-names");
-    }
     return parser;
   }
 
diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
index 4ef4752e..ede9fd65 100644
--- a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
+++ b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -1,29 +1,26 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without modification,
- * are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met:
  *
- * Redistributions of source code must retain the above copyright notice, this list
- * of conditions and the following disclaimer.  Redistributions in binary form must
- * reproduce the above copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided with the distribution.
- * Neither the name of OWASP nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior written permission.
+ * Redistributions of source code must retain the above copyright notice, this list of conditions
+ * and the following disclaimer. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. Neither the name of OWASP nor the names of its
+ * contributors may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 package org.owasp.validator.html.test;
@@ -83,8 +80,7 @@ public class AntiSamyTest {
 
   private static final String[] BASE64_BAD_XML_STRINGS =
       new String[] {
-        // first string is
-        // "<a - href=\"http://www.owasp.org\">click here</a>"
+        // first string is "<a - href=\"http://www.owasp.org\">click here</a>"
         "PGEgLSBocmVmPSJodHRwOi8vd3d3Lm93YXNwLm9yZyI+Y2xpY2sgaGVyZTwvYT4=",
         // the rest are randomly generated 300 byte sequences which generate
         // parser errors, turned into Strings
@@ -109,8 +105,7 @@ public class AntiSamyTest {
   public void setUp() throws Exception {
 
     /*
-     * Load the policy. You may have to change the path to find the Policy
-     * file for your environment.
+     * Load the policy. You may have to change the path to find the Policy file for your environment.
      */
 
     // get Policy instance from a URL.
@@ -800,8 +795,7 @@ public void cssAttacks() throws ScanException, PolicyException {
   }
 
   /*
-   * Test a bunch of strings that have tweaked the XML parsing capabilities of
-   * NekoHTML.
+   * Test a bunch of strings that have tweaked the XML parsing capabilities of NekoHTML.
    */
   @Test
   public void IllegalXML() throws PolicyException {
@@ -818,27 +812,29 @@ public void IllegalXML() throws PolicyException {
       }
     }
 
-    // This fails due to a bug in NekoHTML
-    // try {
-    // assertTrue (
-    // as.scan("<a . href=\"http://www.test.com\">",policy,
-    // AntiSamy.DOM).getCleanHTML().indexOf("href")
-    // != -1 );
-    // } catch (Exception e) {
-    // e.printStackTrace();
-    // fail("Couldn't parse malformed HTML: " + e.getMessage());
-    // }
-
-    // This fails due to a bug in NekoHTML
-    // try {
-    // assertTrue (
-    // as.scan("<a - href=\"http://www.test.com\">",policy,
-    // AntiSamy.DOM).getCleanHTML().indexOf("href")
-    // != -1 );
-    // } catch (Exception e) {
-    // e.printStackTrace();
-    // fail("Couldn't parse malformed HTML: " + e.getMessage());
-    // }
+    // This used to fail due to a bug in NekoHTML, but now works in the new ported version.
+    try {
+      assertTrue(
+          as.scan("<a . href=\"http://www.test.com\">", policy, AntiSamy.DOM)
+                  .getCleanHTML()
+                  .indexOf("href")
+              != -1);
+    } catch (Exception e) {
+      e.printStackTrace();
+      fail("Couldn't parse malformed HTML: " + e.getMessage());
+    }
+
+    // This used to fail due to a bug in NekoHTML, but now works in the new ported version.
+    try {
+      assertTrue(
+          as.scan("<a - href=\"http://www.test.com\">", policy, AntiSamy.DOM)
+                  .getCleanHTML()
+                  .indexOf("href")
+              != -1);
+    } catch (Exception e) {
+      e.printStackTrace();
+      fail("Couldn't parse malformed HTML: " + e.getMessage());
+    }
 
     try {
       assertTrue(as.scan("<style>", policy, AntiSamy.DOM) != null);
@@ -851,8 +847,7 @@ public void IllegalXML() throws PolicyException {
   @Test
   public void issue12() throws ScanException, PolicyException {
     /*
-     * issues 12 (and 36, which was similar). empty tags cause display
-     * problems/"formjacking"
+     * issues 12 (and 36, which was similar). empty tags cause display problems/"formjacking"
      */
 
     Pattern p = Pattern.compile(".*<strong(\\s*)/>.*");
@@ -1151,8 +1146,7 @@ public void issue41() throws ScanException, PolicyException {
     assertEquals(expected, output);
 
     /*
-     * Regular comment nested inside conditional comment. Test makes
-     * sure
+     * Regular comment nested inside conditional comment. Test makes sure.
      */
     assertEquals(
         "<div>text <!-- <!-- IE specific --> comment &lt;[endif]--&gt;</div>",
@@ -1320,10 +1314,8 @@ public void CDATAByPass() throws ScanException, PolicyException {
   @Test
   public void literalLists() throws ScanException, PolicyException {
 
-    /* this test is for confirming literal-lists work as
-     * advertised. it turned out to be an invalid / non-
-     * reproducible bug report but the test seemed useful
-     * enough to keep.
+    /* this test is for confirming literal-lists work as advertised. it turned out to be
+     * an invalid/non-reproducible bug report but the test seemed useful enough to keep.
      */
     String malInput = "hello<p align='invalid'>world</p>";
 
@@ -1357,8 +1349,7 @@ public void stackExhaustion() throws ScanException, PolicyException {
       sb.append("<div>");
     }
     /*
-     * First, make sure this attack is useless against the
-     * SAX parser.
+     * First, make sure this attack is useless against the SAX parser.
      */
     as.scan(sb.toString(), policy, AntiSamy.SAX);
 
@@ -1372,8 +1363,7 @@ public void stackExhaustion() throws ScanException, PolicyException {
     String crDom = crd.getCleanHTML();
     assertTrue(crDom.length() != 0);
     /*
-     * Now push it over the limit to 251 and make sure we blow
-     * up safely.
+     * Now push it over the limit to 251 and make sure we blow up safely.
      */
     sb.append("<div><div>"); // this makes 251
 
@@ -1869,8 +1859,7 @@ public void testGithubIssue23() throws ScanException, PolicyException {
     // were in
 
     // The a.replaceAll("\\s","") is used to strip out all the whitespace in the CleanHTML so we
-    // can successfully find
-    // what we expect to find.
+    // can successfully find what we expect to find.
     assertThat(
         as.scan(test23, policy, AntiSamy.DOM).getCleanHTML().replaceAll("\\s", ""),
         containsString("<ul><li>a</li>"));
@@ -1919,8 +1908,7 @@ public void testGithubIssue26() throws ScanException, PolicyException {
   @Test
   public void testGithubIssue27() throws ScanException, PolicyException {
     // This test doesn't cause an ArrayIndexOutOfBoundsException, as reported in this issue even
-    // though it
-    // replicates the test as described.
+    // though it replicates the test as described.
     String test27 = "my &test";
     assertThat(as.scan(test27, policy, AntiSamy.DOM).getCleanHTML(), containsString("test"));
     assertThat(as.scan(test27, policy, AntiSamy.SAX).getCleanHTML(), containsString("test"));
@@ -2197,8 +2185,7 @@ public void testGithubIssue99() throws ScanException, PolicyException {
   public void testGithubIssue101() throws ScanException, PolicyException {
     // Test that margin attribute is not removed when value has too much significant figures.
     // Current behavior is that decimals like 0.0001 are internally translated to 1.0E-4, this
-    // is reflected on regex validation and actual output. The inconsistency is due to Batik
-    // CSS.
+    // is reflected on regex validation and actual output. The inconsistency is due to Batik CSS.
     assertThat(
         as.scan("<p style=\"margin: 0.0001pt;\">Some text.</p>", policy, AntiSamy.DOM)
             .getCleanHTML(),
@@ -2533,25 +2520,24 @@ public void testGithubIssue151() throws ScanException, PolicyException {
 
   @Test
   public void testSmuggledTagsInStyleContent() throws ScanException, PolicyException {
-    // HTML tags may be smuggled into a style tag after parsing input to an internal
-    // representation.
+    // HTML tags may be smuggled into a style tag after parsing input to an internal representation.
     // If that happens, they should be treated as text content and not as children nodes.
     assertThat(
         as.scan("<select<style/>W<xmp<script>alert(1)</script>", policy, AntiSamy.DOM)
             .getCleanHTML(),
-        not(containsString("script")));
+        not(containsString("<script")));
     assertThat(
         as.scan("<select<style/>W<xmp<script>alert(1)</script>", policy, AntiSamy.SAX)
             .getCleanHTML(),
-        not(containsString("script")));
+        not(containsString("<script")));
     assertThat(
         as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", policy, AntiSamy.DOM)
             .getCleanHTML(),
-        not(containsString("input")));
+        not(containsString("<input")));
     assertThat(
         as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", policy, AntiSamy.SAX)
             .getCleanHTML(),
-        not(containsString("input")));
+        not(containsString("<input")));
   }
 
   @Test(timeout = 4000)

From 9e34cb692f84ec67f9bf2ef4a01830120d73f523 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dave.wichers@owasp.org>
Date: Wed, 12 Apr 2023 08:55:37 -0400
Subject: [PATCH 4/4] Ready for release.

---
 SECURITY.md |  1 +
 pom.xml     | 14 +++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index e37a0537..ddaa9153 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,3 +37,4 @@ These are the known CVEs reported for AntiSamy:
 CVEs in AntiSamy dependencies:
 * AntiSamy prior to 1.6.6 used the old CyberNeko HTML library v1.9.22, which is subject to https://www.cvedetails.com/cve/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko called HtmlUnit-Neko which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to version 2.60.0 of HtmlUnit-Neko.
 * AntiSamy 1.6.8 upgraded to HtmlUnit-Neko v2.61.0 because v2.60.0 is subject to https://www.cvedetails.com/cve/CVE-2022-29546
+* AntiSamy 1.7.3 upgraded to HtmlUnit-Neko v3.1.0 because all versions prior to 3.0.0 are subject to https://www.cvedetails.com/cve/CVE-2023-26119
diff --git a/pom.xml b/pom.xml
index 38915b68..375f2aec 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
     <groupId>org.owasp.antisamy</groupId>
     <artifactId>antisamy</artifactId>
     <packaging>jar</packaging>
-    <version>1.7.3-SNAPSHOT</version>
+    <version>1.7.3</version>
 
     <distributionManagement>
         <snapshotRepository>
@@ -52,7 +52,7 @@
         <fluido.version>2.0.0-M5</fluido.version>
         <gpg.skip>true</gpg.skip><!-- by default skip gpg -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.build.outputTimestamp>2022-11-18T14:32:45Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2022-04-12T11:03:14Z</project.build.outputTimestamp>
         <project.java.target>1.8</project.java.target>
         <version.findsecbugs>1.12.0</version.findsecbugs>
         <version.io>2.11.0</version.io>
@@ -74,18 +74,22 @@
         <dependency>
             <groupId>org.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <version>3.1.0-SNAPSHOT</version>
+            <version>3.1.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
             <version>5.2.1</version>
             <exclusions>
-                <!-- exclude this old version of slf4j-api as newer can be used -->
+                <!-- exclude old versions of slf4j-api and httpcore5 as newer versions can be used -->
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-api</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents.core5</groupId>
+                    <artifactId>httpcore5</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -403,7 +407,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-site-plugin</artifactId>
-                <version>4.0.0-M6</version>
+                <version>4.0.0-M7</version>
                 <dependencies>
                     <!-- Explicitly declare these dependencies so the versions plugin and library bots will flag available updates. The fluido-skin 
                         plugin is referenced in src/site/site.xml using the same fluido version property. -->