Skip to content

Release version 1.7.1

Compare
Choose a tag to compare
@davewichers davewichers released this 06 Sep 22:42
· 359 commits to main since this release

This release addresses the following issues:

  1. Documentation Improvements: Clarifying that relying on getErrorMessages() or getNumberOfErrors() is UNSAFE.

There has been much confusion about the getErrorMessages() method. The getErrorMessages() method (nor getNumberOfErrors()) does not subtly answer the question "is this safe input?" in the affirmative if it returns an empty list. You must always use the sanitized input and there is no way to be sure the input passed in had no attacks.

We had already added a note about this in the README for AntiSamy 1.7.0, but we have now added similar information to the Javadoc for all the related methods. That way if a developer is reading the Javadoc, they are more likely to notice that these methods are purely informational, and CANNOT be relied on for security. Only CleanResults.getCleanHTML() can be relied on to provide safe/clean HTML to send back to the user's browser.

  1. Announcing plan to deprecate support for external stylesheets

The AntiSamy team has decided that supporting the ability to allow embedded remote CSS is dangerous and so we are deprecating this feature and it will be removed in a future release. It is expected that there are very few, if any, users of this feature.

We have added a log WARNing if this feature is invoked. If you are using this API, please disable/remove this feature by switching to the primary CssScanner() constructor that does not enable this feature, or dropping direct use of this constructor because, by default, this feature it not enabled.

  1. Minor Bug #200: AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering

This issue was fixed in this release. See the issue ticket for more details.