Changes for 1.6.6 release

pom.xml

@@ -44,8 +44,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.build.outputTimestamp>2022-01-31T23:13:00Z</project.build.outputTimestamp>
         <gpg.skip>true</gpg.skip><!-- by default skip gpg -->
-        <!--   The latest commons-io is 2.11.0, but requires Java 8 starting with 2.7  -->
-        <version.io>2.6</version.io>
+        <version.io>2.11.0</version.io>
         <version.slf4j>1.7.36</version.slf4j>
         <version.spotbugs.maven>4.6.0.0</version.spotbugs.maven>
         <version.spotbugs>4.6.0</version.spotbugs>
@@ -61,49 +60,20 @@
     </profiles>
 
     <dependencies>
-        <!-- dependency>
-            <groupId>net.sourceforge.nekohtml</groupId>
-            <artifactId>nekohtml</artifactId>
-            <version>1.9.22</version>
-            <exclusions>
-                <! exclude this as nekohtml uses an older xercesImpl and we want to eliminate the convergence mismatch >
-                <exclusion>
-                    <groupId>xerces</groupId>
-                    <artifactId>xercesImpl</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency -->
         <dependency>
             <groupId>net.sourceforge.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <!-- version 2.25+ requires Java 8 -->
-            <version>2.24</version>
+            <version>2.60.0</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
-            <exclusions>
-                <!-- exclude these as httpclient uses older versions of these libraries that we directly import and we want to eliminate the convergence mismatch -->
-                <exclusion>
-                    <groupId>commons-codec</groupId>
-                    <artifactId>commons-codec</artifactId>
-                </exclusion>
-                <!-- exclude obsolete commons-logging in favor of jcl-over-slf4j to ensure logs all pipe through slf4j-api -->
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging</artifactId>
-                </exclusion>
-                <exclusion>
-                   <groupId>org.apache.httpcomponents</groupId>
-                   <artifactId>httpcore</artifactId>
-                </exclusion>
-            </exclusions>
+            <groupId>org.apache.httpcomponents.client5</groupId>
+            <artifactId>httpclient5</artifactId>
+            <version>5.1.3</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpcore</artifactId>
-            <version>4.4.15</version>
+            <groupId>org.apache.httpcomponents.core5</groupId>
+            <artifactId>httpcore5</artifactId>
+            <version>5.1.3</version>
         </dependency>
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
@@ -279,10 +249,10 @@
                         <configuration>
                             <rules>
                                 <enforceBytecodeVersion>
-                                    <maxJdkVersion>1.7</maxJdkVersion>
+                                    <maxJdkVersion>1.8</maxJdkVersion>
                                     <ignoreOptionals>true</ignoreOptionals>
                                     <ignoredScopes>test</ignoredScopes>
-                                    <message>Dependencies shouldn't require Java 8+.</message>
+                                    <message>Dependencies shouldn't require Java 9+.</message>
                                 </enforceBytecodeVersion>
                                 <requireMavenVersion>
                                     <version>3.3.9</version>
@@ -298,7 +268,7 @@
                             <rules>
                                 <requireJavaVersion>
                                     <version>1.7</version>
-                                    <message>Antisamy is written to support Java 7+.</message>
+                                    <message>Antisamy source code is written to support Java 7+.</message>
                                 </requireJavaVersion>
                             </rules>
                         </configuration>

src/main/java/org/owasp/validator/css/CssHandler.java

@@ -167,7 +167,7 @@ public CssHandler(Policy policy, List<String> errorMessages, ResourceBundle mess
 	 *            the tag name associated with this inline style
 	 */
 	public CssHandler(Policy policy, List<String> errorMessages, ResourceBundle messages, String tagName) {
-		this(policy, null, new ArrayList<String>(), tagName, messages);
+		this(policy, null, errorMessages, tagName, messages);
 	}
 
 	/**

src/main/java/org/owasp/validator/css/CssScanner.java

@@ -43,12 +43,17 @@
 
 import org.apache.batik.css.parser.ParseException;
 import org.apache.batik.css.parser.Parser;
-import org.apache.http.HttpResponse;
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.util.EntityUtils;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.HttpEntity;
+import org.apache.hc.core5.http.HttpStatus;
+import org.apache.hc.client5.http.ClientProtocolException;
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.config.RequestConfig;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.core5.http.io.HttpClientResponseHandler;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.apache.hc.core5.util.Timeout;
 import org.owasp.validator.html.CleanResults;
 import org.owasp.validator.html.InternalPolicy;
 import org.owasp.validator.html.Policy;
@@ -70,7 +75,7 @@
  */
 public class CssScanner {
 
-    protected static final int DEFAULT_TIMEOUT = 1000;
+    protected static final Timeout DEFAULT_TIMEOUT = Timeout.ofMilliseconds(1000);
 
     private static final String CDATA = "^\\s*<!\\[CDATA\\[(.*)\\]\\]>\\s*$";
 
@@ -263,15 +268,15 @@ private void parseImportedStylesheets(LinkedList<URI> stylesheets, List<String>
 
             // Ensure that we have appropriate timeout values so we don't
             // get DoSed waiting for returns
-            int timeout = DEFAULT_TIMEOUT;
+            Timeout timeout = DEFAULT_TIMEOUT;
             try {
-                timeout = Integer.parseInt(policy.getDirective(Policy.CONNECTION_TIMEOUT));
+                timeout = Timeout.ofMilliseconds(Long.parseLong(policy.getDirective(Policy.CONNECTION_TIMEOUT)));
             } catch (NumberFormatException nfe) {
             }
 
             RequestConfig requestConfig = RequestConfig.custom()
-                    .setSocketTimeout(timeout)
                     .setConnectTimeout(timeout)
+                    .setResponseTimeout(timeout)
                     .setConnectionRequestTimeout(timeout)
                     .build();
 
@@ -302,13 +307,33 @@ private void parseImportedStylesheets(LinkedList<URI> stylesheets, List<String>
                     continue;
                 }
 
-                HttpGet stylesheetRequest = new HttpGet(stylesheetUri);
+                // Pulled directly from: https://github.com/apache/httpcomponents-client/blob/5.1.x/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientWithResponseHandler.java
+                // Create a custom response handler to read in the stylesheet
+                final HttpClientResponseHandler<String> responseHandler = new HttpClientResponseHandler<String>() {
+
+                    @Override
+                    public String handleResponse(
+                            final ClassicHttpResponse response) throws IOException {
+                        final int status = response.getCode();
+                        if (status >= HttpStatus.SC_SUCCESS && status < HttpStatus.SC_REDIRECTION) {
+                            final HttpEntity entity = response.getEntity();
+                            try {
+                                return entity != null ? EntityUtils.toString(entity) : null;
+                            } catch (final ParseException | org.apache.hc.core5.http.ParseException ex) {
+                                throw new ClientProtocolException(ex);
+                            }
+                        } else {
+                            throw new ClientProtocolException("Unexpected response status: " + status);
+                        }
+                    }
+                };
 
                 byte[] stylesheet = null;
+
                 try {
+                    String responseBody = httpClient.execute(new HttpGet(stylesheetUri), responseHandler);
                     // pull down stylesheet, observing size limit
-                    HttpResponse response = httpClient.execute(stylesheetRequest);
-                    stylesheet = EntityUtils.toByteArray(response.getEntity());
+                    stylesheet = responseBody.getBytes();
                     if (stylesheet != null && stylesheet.length > sizeLimit) {
                         errorMessages.add(ErrorMessageUtil.getMessage(
                                 messages,
@@ -323,8 +348,6 @@ private void parseImportedStylesheets(LinkedList<URI> stylesheets, List<String>
                             messages,
                             ErrorMessageUtil.ERROR_CSS_IMPORT_FAILURE,
                             new Object[] { HTMLEntityEncoder.htmlEntityEncode(stylesheetUri.toString()) }));
-                } finally {
-                    stylesheetRequest.releaseConnection();
                 }
 
                 if (stylesheet != null) {

src/main/java/org/owasp/validator/html/InternalPolicy.java

@@ -132,6 +132,8 @@ public boolean isOmitXmlDeclaration() {
         return omitXmlDeclaration;
     }
 
+    /** @deprecated XHTML usage will go away in AntiSamy 1.7+ */
+    @Deprecated
     public boolean isUseXhtml() {
         return useXhtml;
     }

src/main/java/org/owasp/validator/html/Policy.java

@@ -133,6 +133,8 @@ public class Policy {
 
     public static final String OMIT_XML_DECLARATION = "omitXmlDeclaration";
     public static final String OMIT_DOCTYPE_DECLARATION = "omitDoctypeDeclaration";
+    /** @deprecated XHTML usage will go away in AntiSamy 1.7+ */
+    @Deprecated
     public static final String USE_XHTML = "useXHTML";
     public static final String FORMAT_OUTPUT = "formatOutput";
     public static final String EMBED_STYLESHEETS = "embedStyleSheets";
@@ -144,6 +146,8 @@ public class Policy {
     public static final String PRESERVE_COMMENTS = "preserveComments";
     public static final String ENTITY_ENCODE_INTL_CHARS = "entityEncodeIntlChars";
     public static final String ALLOW_DYNAMIC_ATTRIBUTES = "allowDynamicAttributes";
+    public static final String MAX_INPUT_SIZE = "maxInputSize";
+    public static final String MAX_STYLESHEET_IMPORTS = "maxStyleSheetImports";
 
     public static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
     public static final String EXTERNAL_PARAM_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";

src/main/java/org/owasp/validator/html/scan/ASXHTMLSerializer.java

@@ -12,8 +12,10 @@
 /**
  * This is an extension of the default XHTMLSerializer class that's had it's endElementIO()
  * method tweaked to serialize closing tags and self-closing tags the way we require.
+ *
+ * @deprecated XHTML usage will go away in AntiSamy 1.7+
  */
-@SuppressWarnings("deprecation")
+@Deprecated
 public class ASXHTMLSerializer extends org.apache.xml.serialize.XHTMLSerializer {
 
 	private boolean encodeAllPossibleEntities;

src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java

@@ -407,10 +407,17 @@ private boolean processStyleTag(Element ele, Node parentNode) {
         CssScanner styleScanner = new CssScanner(policy, messages, policy.isEmbedStyleSheets());
 
         try {
-            Node firstChild = ele.getFirstChild();
-            if (firstChild != null) {
+            if (ele.getChildNodes().getLength() > 0) {
+                String toScan = "";
+
+                for (int i = 0; i < ele.getChildNodes().getLength(); i++) {
+                    Node childNode = ele.getChildNodes().item(i);
+                    if (!toScan.isEmpty()){
+                        toScan += "\n";
+                    }
+                    toScan += childNode.getTextContent();
+                }
 
-                String toScan = firstChild.getNodeValue();
                 CleanResults cr = styleScanner.scanStyleSheet(toScan, policy.getMaxInputSize());
                 errorMessages.addAll(cr.getErrorMessages());
 
@@ -422,12 +429,17 @@ private boolean processStyleTag(Element ele, Node parentNode) {
                  * break all CSS. To prevent that, we have this check.
                  */
 
-                final String cleanHTML = cr.getCleanHTML();
+                String cleanHTML = cr.getCleanHTML();
+                cleanHTML = cleanHTML == null || cleanHTML.equals("") ? "/* */" : cleanHTML;
 
-                if (cleanHTML == null || cleanHTML.equals("")) {
-                    firstChild.setNodeValue("/* */");
-                } else {
-                    firstChild.setNodeValue(cleanHTML);
+                ele.getFirstChild().setNodeValue(cleanHTML);
+                /*
+                 * Remove every other node after cleaning CSS, there will
+                 * be only one node in the end, as it always should have.
+                 */
+                for (int i = 1; i < ele.getChildNodes().getLength(); i++) {
+                    Node childNode = ele.getChildNodes().item(i);
+                    ele.removeChild(childNode);
                 }
             }
 

src/main/resources/antisamy.xsd

@@ -13,7 +13,8 @@
 				<xsd:element name="tags-to-encode" type="TagsToEncodeList" minOccurs="0"/>
 				<xsd:element name="tag-rules" type="TagRules"/>
 				<xsd:element name="css-rules" type="CSSRules"/>
-	        	<xsd:element name="allowed-empty-tags" type="AllowedEmptyTags" minOccurs="0"/>
+				<xsd:element name="allowed-empty-tags" type="LiteralListTag" minOccurs="0"/>
+				<xsd:element name="require-closing-tags" type="LiteralListTag" minOccurs="0"/>
 			</xsd:sequence>
 		</xsd:complexType>
 	</xsd:element>
@@ -65,7 +66,7 @@
 		<xsd:attribute name="action" use="required"/>
 	</xsd:complexType>
 
-    <xsd:complexType name="AllowedEmptyTags">
+    <xsd:complexType name="LiteralListTag">
         <xsd:sequence>
             <xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
         </xsd:sequence>