fix(deps): update dependency org.owasp.antisamy:antisamy to v1.7.2 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp.antisamy:antisamy	1.5.3 -> 1.7.2

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

nahsra/antisamy

v1.7.2: Release version 1.7.2

Compare Source

This release simply upgrades a number of dependencies, including one with known CVEs. The previous version of batik-css (1.14) used by AntiSamy 1.7.1 has two CVEs: CVE-2022-42890, CVE-2022-41704.

v1.7.1: Release version 1.7.1

Compare Source

This release addresses the following issues:

1. Documentation Improvements: Clarifying that relying on getErrorMessages() or getNumberOfErrors() is UNSAFE.

There has been much confusion about the getErrorMessages() method. The getErrorMessages() method (nor getNumberOfErrors()) does not subtly answer the question "is this safe input?" in the affirmative if it returns an empty list. You must always use the sanitized input and there is no way to be sure the input passed in had no attacks.

We had already added a note about this in the README for AntiSamy 1.7.0, but we have now added similar information to the Javadoc for all the related methods. That way if a developer is reading the Javadoc, they are more likely to notice that these methods are purely informational, and CANNOT be relied on for security. Only CleanResults.getCleanHTML() can be relied on to provide safe/clean HTML to send back to the user's browser.

2. Announcing plan to deprecate support for external stylesheets

The AntiSamy team has decided that supporting the ability to allow embedded remote CSS is dangerous and so we are deprecating this feature and it will be removed in a future release. It is expected that there are very few, if any, users of this feature.

We have added a log WARNing if this feature is invoked. If you are using this API, please disable/remove this feature by switching to the primary CssScanner() constructor that does not enable this feature, or dropping direct use of this constructor because, by default, this feature it not enabled.

3. Minor Bug #​200: AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering

This issue was fixed in this release. See the issue ticket for more details.

v1.7.0: Release version 1.7.0

Compare Source

This release eliminates everything deprecated in the 1.6.8 release, and includes a few minor plugin and library updates, but otherwise no other changes. The details of the things removed are documented in the README and issue #​195. The README describes the new APIs that replace any deprecated APIs that were removed. AntiSamy 1.7.0 requires Java 8+.

v1.6.8: Release version 1.6.8

Compare Source

This release simply upgrades net.sourceforge.htmlunit:neko-htmlunit to version 2.61.0 to eliminate a DOS vulnerability in that library discovered in version 2.60.0 and prior (https://www.cvedetails.com/cve/CVE-2022-29546).

v1.6.7: Release version 1.6.7

Compare Source

This release addresses a minor issue in the security fixes implemented in 1.6.6. While those fixes addressed most of the security concerns in the security issue reported to us by the researcher, our fix had a minor bug that allowed something to sneak through. This release fixes that, and includes the changes from 1.6.6.1 that compile AntiSamy.jar to Java 7 bytecode.

It specifically addresses CVE-2022-29577, which is the complete fix to: CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. - https://www.cvedetails.com/cve/CVE-2022-29577.

v1.6.6.1: Release version 1.6.6.1

Compare Source

The 1.6.6.1 release corrects a minor issue in the 1.6.6 release:

We accidentally upgraded the byte code generated for antisamy.jar to be Java 8, when it can still be Java 7. So this release generates a Java 7 jar file instead. This allows Java 7 projects to use AntiSamy 1.6.6.1 by doing the following:

Exclude the 2 Java 8 dependencies we currently use:

• commons-o:commons-io:2.11.0
• net.sourceforge.htmlunit:neko-htmlunit:2.60.0

You then import and use the last Java 7 versions of these libraries:

• commons-io:commons-io:2.6
• net.sourceforge.htmlunit:neko-htmlunit:2.24

A few plugins were upgraded and some were added but none of the dependencies were changed.

---

The previous 1.6.6 release addressed the following issues:

1. This release fixes 3 security issues reported by researcher Hyeongkwan Lee

CVEs for these have not been created yet, so we are not providing any details on the issues at this time.

2. Enhancement #​147: Add require-closing-tags to default AntiSamy policy file

3. Bug #​151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #​58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @​Deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE_XHTML = "useXHTML";
The method: InternalPolicy.isXhtml()
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

v1.6.6: Release version 1.6.6

Compare Source

This release addresses the following issues:

1. This release fixes 2 security issues reported by researcher Hyeong Gwan, Yi

CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. https://www.cvedetails.com/cve/CVE-2022-28367. NOTE: This release only included a PARTIAL fix. It's completely fixed in the 1.6.7 release.

AntiSamy prior to 1.6.6 used the old CyberNeko HTML library v1.9.22, which is subject to https://www.cvedetails.com/cve/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko called HtmlUnit-Neko which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to version 2.60.0 of HtmlUnit-Neko.

2. Enhancement #​147: Add require-closing-tags to default AntiSamy policy file

3. Bug #​151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #​58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @​Deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE_XHTML = "useXHTML";
The method: InternalPolicy.isXhtml()
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

v1.6.5: Release version 1.6.5

Compare Source

This release addresses the following issues:

1. Enhancement #​89: Add rel="noopener" to anchor if target="_blank" is set

We have added a new policy directive 'noopenerAndNoreferrerAnchors' which, if set, will add 'noopener noreferrer' to anchor tags if target="_blank" in an HREF to reduce the risk of https://owasp.org/www-community/attacks/Reverse_Tabnabbing attacks. This is similar to adding 'nofollow' in the same situation which is already done by default. Currently, 'noopener' and 'noreferrer' are not added by default, but have to be enabled in the AntiSamy policy file. Future versions of AntiSamy may make this the default behavior, to match how 'nofollow' is added automatically.

2. Bug #​103: AntiSamy 1.6.4 doesn't play nicely with xalan-j 2.7.2

In 1.6.4, changes were made to disable some external entity features in the use of an XML TransformerFactory to reduce the risk of XXE if an attacker were able to modify a developer provided AntiSamy XML policy file. As it turns out, the use of Java's TransformerFactory.newTransformer() is problematic because if an AntiSamy library user has another Xalan Transformer on their classpath, that class will be returned by the invocation of this method, instead of the JDK provided version, and that Transformer might not support the JAXP 1.5 security features we are invoking. As such, to fix this, we now force the instantiation of the JDK provided Xalan XML Transformer com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl which does support these JAXP 1.5 security features and is available in all versions of the JDK we tested from Java 7 through Java 19.

By fixing it this way, we don't affect the external applications use of any other Xalan parsers they might be using. We are just defaulting AntiSamy's use of the Xalan parser to the JDK provided one (com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl).

However, we determined that some AntiSamy users might not want to use this JDK provided Xalan TransformerFactoryImpl. As such, we also added a Java system property called: "antisamy.transformerfactory.impl", which can be used to override this default with a different TransformerFactoryImpl of your choosing.

3. Minor Bug #​113: Imported styles are in the wrong order regarding non-imported styles

This issue was fixed in this release. See the issue ticket for more details.

4. Minor Bug #​125: Enhanced antisamy.xml to support css-styles that start with a '-'

This issue was fixed in this release. See the issue ticket for more details.

NOTE: 1.7.0 release coming soon. Will drop Java 7 support and deprecated features/APIs, as follows:

1 ) We expect 1.6.5 to be the last release that supports Java 7. The next release is expected to be 1.7.0, which will require Java 8.
2) The 1.7.0 release will also drop support for two things that were deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #​58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) This 1.6.5 release actually changed some APIs. Specifically:

These constructors are now @​Deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

We plan to remove these newly Deprecated APIs in the 1.7.0 release.

v1.6.4: Release version 1.6.4

Compare Source

This release addresses issue #​87, which also fixes CVE-2021-35043.

Thanks to Zachary Sims for responsibly disclosing the issue.

v1.6.3: Release version 1.6.3

Compare Source

This release addresses issue #​80 by allowing jar: URLs for loading policy files stored inside of JARs. It also adds support for !important CSS tags as described in issue #​81. SBOM files are also now produced and included with the release.

v1.6.2: Release version 1.6.2

Compare Source

This release fixes bug #​75 reported by the OWASP ESAPI team, and adds some new JavaDoc to the Policy.java class describing the major changes to AntiSamy in the 1.6+ release.

v1.6.1: Release version 1.6.1

Compare Source

The 1.6.0 release erroneously listed slf4j as the logging API, but then directly used log4j. This release eliminates the use of log4j entirely, using slf4j. The 1.6.1 release includes the slf4j-simple logging library, but AntiSamy users can exclude this library and use whatever slf4j logging library they prefer. Please read the README for more details.

v1.6.0: Release version 1.6.0

Compare Source

This release includes a few minor bug fixes and all available upgrades to the libraries and plugins used by the project, including a few upgrades that eliminate known CVEs in those libraries.

The one major change in this release is that AntiSamy XSD schema validation is now enabled by default starting with AntiSamy 1.6.0.

While working on some improvements to AntiSamy's XML Schema Definition (XSD) for AntiSamy policy files, we noticed that AntiSamy was NOT actually enforcing the XSD. So, we've CHANGED the default behavior starting with AntiSamy 1.6.0 to enforce the schema, and not continue if the AntiSamy policy is invalid. However ... we recognize that it might not be possible for developers to fix their AntiSamy policies right away if they are non-compliant, and yet still want to upgrade AntiSamy to pick up any security improvements, feature enhancements, and bug fixes. As such, we've provided two ways to (temporarily!) disable schema validation.

Please read the section "### NOTE: Schema validation behavior change starting with AntiSamy 1.6.0" in the README for details on how to (temporarily) disable schema validation for AntiSamy if your project needs to do so.

v1.5.13: Release version 1.5.13

Compare Source

This release addresses AntiSamy issue #​62, which caused a NullPointerException in AntiSamyDOMScanner.java for certain input.

v1.5.12: Release version 1.5.12

Compare Source

This release upgrades the Xerces dependency to 2.12.1 to eliminate the known vulnerability in Xerces 2.12.0 (CVE-2020-14338). While this CVE does not affect AntiSamy given how AntiSamy uses Xerces, we produced this point release to eliminate the known vulnerability in this dependency anyway to eliminate this CVE showing up on dependency tree scanners.

v1.5.11: Release version 1.5.11

Compare Source

This release upgrades dependency httpclient to 4.5.13 to address CVE-2020-13956 in this library.

We note that there is also a known vulnerability (CVE-2020-14338) in xercesImpl:2.12.0 but Apache has not released an update to this library yet to eliminate it. We analyzed this CVE and determined that it does NOT affect AntiSamy. However, if you still want to eliminate this CVE, then you can exclude the version used by AntiSamy and use the version patched by JBoss described here: https://mvnrepository.com/artifact/xerces/xercesImpl/2.12.0.SP03. This will require you to do add the JBoss Maven repo to your pom. Alternately, you can upgrade to the patched version released by Apache when that becomes available.

This release also fixes this low risk (phishing) security issue described here:
#​48 (Default URL regex allows URL starting with // to jump out of origin domain)

The release also includes some minor code cleanup and various dependency/plugin upgrades that were available.

v1.5.10: Release version 1.5.10

Compare Source

This release upgrades dependency batik-css from 1.12 to 1.13 to address CVE-2019-17566 in batik-css.

And also includes adoption of an old pull request:
https://github.com/nahsra/antisamy/pull/18 (Fix the paragraph and name attribute regular expressions in antisamy.xml)

v1.5.9: Release version 1.5.9

Compare Source

Minor fix to address issue #​39. Upgrade all dependencies to lates available versions.

v1.5.8: Release version 1.5.8

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.