Skip to content

Release version 1.6.5
Compare
Choose a tag to compare
@davewichers davewichers released this 01 Feb 01:21
· 587 commits to main since this release
v1.6.5
b7c1511
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This release addresses the following issues:

  1. Enhancement #89: Add rel="noopener" to anchor if target="_blank" is set

We have added a new policy directive 'noopenerAndNoreferrerAnchors' which, if set, will add 'noopener noreferrer' to anchor tags if target="_blank" in an HREF to reduce the risk of https://owasp.org/www-community/attacks/Reverse_Tabnabbing attacks. This is similar to adding 'nofollow' in the same situation which is already done by default. Currently, 'noopener' and 'noreferrer' are not added by default, but have to be enabled in the AntiSamy policy file. Future versions of AntiSamy may make this the default behavior, to match how 'nofollow' is added automatically.

  1. Bug #103: AntiSamy 1.6.4 doesn't play nicely with xalan-j 2.7.2

In 1.6.4, changes were made to disable some external entity features in the use of an XML TransformerFactory to reduce the risk of XXE if an attacker were able to modify a developer provided AntiSamy XML policy file. As it turns out, the use of Java's TransformerFactory.newTransformer() is problematic because if an AntiSamy library user has another Xalan Transformer on their classpath, that class will be returned by the invocation of this method, instead of the JDK provided version, and that Transformer might not support the JAXP 1.5 security features we are invoking. As such, to fix this, we now force the instantiation of the JDK provided Xalan XML Transformer com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl which does support these JAXP 1.5 security features and is available in all versions of the JDK we tested from Java 7 through Java 19.

By fixing it this way, we don't affect the external applications use of any other Xalan parsers they might be using. We are just defaulting AntiSamy's use of the Xalan parser to the JDK provided one (com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl).

However, we determined that some AntiSamy users might not want to use this JDK provided Xalan TransformerFactoryImpl. As such, we also added a Java system property called: "antisamy.transformerfactory.impl", which can be used to override this default with a different TransformerFactoryImpl of your choosing.

  1. Minor Bug #113: Imported styles are in the wrong order regarding non-imported styles

This issue was fixed in this release. See the issue ticket for more details.

  1. Minor Bug #125: Enhanced antisamy.xml to support css-styles that start with a '-'

This issue was fixed in this release. See the issue ticket for more details.

NOTE: 1.7.0 release coming soon. Will drop Java 7 support and deprecated features/APIs, as follows:

1 ) We expect 1.6.5 to be the last release that supports Java 7. The next release is expected to be 1.7.0, which will require Java 8.
2) The 1.7.0 release will also drop support for two things that were deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) This 1.6.5 release actually changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

We plan to remove these newly Deprecated APIs in the 1.7.0 release.

Contributors

deprecated
Assets 2
Loading