diff --git a/README.md b/README.md index 3d4a21d8..96f26527 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ how to get started with or without Maven. ## Prepackaged Policies You can use -[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html): +[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html): ```Java PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS); @@ -47,7 +47,7 @@ String safeHTML = policy.sanitize(untrustedHTML); The [tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java) show how to configure your own -[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html): +[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html): ```Java PolicyFactory policy = new HtmlPolicyBuilder() @@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML); ## Custom Policies You can write -[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/ElementPolicy.html) +[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/ElementPolicy.html) to do things like changing `h1`s to `div`s with a certain class: ```Java @@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()` method if you want them to be allowed through the filter when these elements do not include any attributes. -[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks. +[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) allow running custom code too. Adding an attribute policy will not water down any default policy like `style` or URL attribute checks. ```Java new HtmlPolicyBuilder = new HtmlPolicyBuilder() @@ -153,7 +153,7 @@ of the output. ## Telemetry -When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlChangeListener.html). +When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlChangeListener.html). You can use this to keep track of policy violation trends and find out when someone is making an effort to breach your security. diff --git a/aggregate/pom.xml b/aggregate/pom.xml index 7b1f5bab..9e1e3f7a 100644 --- a/aggregate/pom.xml +++ b/aggregate/pom.xml @@ -3,12 +3,12 @@ com.googlecode.owasp-java-html-sanitizer aggregate pom - 20220608.2-SNAPSHOT + 20240325.1 .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 diff --git a/change_log.md b/change_log.md index 04324a49..8768a95c 100644 --- a/change_log.md +++ b/change_log.md @@ -1,6 +1,16 @@ # OWASP Java HTML Sanitizer Change Log Most recent at top. + * Release 20240325.1 + * Remove dependency on Guava + * Raise minimum supported JVM release to 8 + * HTML: Avoid duplicate link `rel` values. + * HTML: Recognize foreign content syntactic context: `mathml` / `svg`. + * CSS: Better support for `font-size`, `overflow-wrap`, `word-break`. + * CSS: Better child combinator parsing. + * Bug: Fixed out of bounds when mixing global style attribute with others. + * Special thanks to (in lexicographic order): + Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk * Release 20220608.1 * Fix bugs in CSS tokenization * Fix deocding of HTML character references that lack semicolons diff --git a/docs/getting_started.md b/docs/getting_started.md index fdb5addf..131bee2a 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -29,16 +29,16 @@ it to HTML. The [javadoc](http://javadoc.io/doc/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/) covers more detailed topics, including -[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html). +[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html). Important classes are: - * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies. - * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies. + * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies. + * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies. For advanced use, see: - * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization. - * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output. + * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization. + * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output. ## Asking Questions diff --git a/docs/maven.md b/docs/maven.md index c24a0464..afc82bb6 100644 --- a/docs/maven.md +++ b/docs/maven.md @@ -23,7 +23,7 @@ Bigger numbers are more recent and the [change log](../change_log.md) can shed light on the salient differences. You should be able to build with the HTML sanitizer. You can read the -[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/index.html), +[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/index.html), and if you have questions that aren't answered by these wiki pages, you can ask on the [mailing list](http://groups.google.com/group/owasp-java-html-sanitizer-support). diff --git a/empiricism/pom.xml b/empiricism/pom.xml index 0679df4b..981a0fbd 100644 --- a/empiricism/pom.xml +++ b/empiricism/pom.xml @@ -2,13 +2,13 @@ 4.0.0 com.googlecode.owasp-java-html-sanitizer html-types - 20220608.2-SNAPSHOT + 20240325.1 jar .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 empiricism diff --git a/html-types/pom.xml b/html-types/pom.xml index c3fdcc79..234c8d73 100644 --- a/html-types/pom.xml +++ b/html-types/pom.xml @@ -2,13 +2,13 @@ 4.0.0 com.googlecode.owasp-java-html-sanitizer html-types - 20220608.2-SNAPSHOT + 20240325.1 bundle .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 OWASP Java HTML Sanitizer Safe HTML Compatibility diff --git a/java10-shim/pom.xml b/java10-shim/pom.xml index 21b96c35..2e0d8d38 100644 --- a/java10-shim/pom.xml +++ b/java10-shim/pom.xml @@ -6,13 +6,13 @@ .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 Java 10 Shim Provides an implementation of java8-shim that interoperates with - Java >= 10 idioms for immutable collections. + Java >= 10 idioms for immutable collections. @@ -24,6 +24,13 @@ 10 + + org.apache.maven.plugins + maven-release-plugin + + -Dmaven.javadoc.skip=true + + diff --git a/java10-shim/src/main/java/org/owasp/shim/Notice.java b/java10-shim/src/main/java/org/owasp/shim/Notice.java new file mode 100644 index 00000000..871cbede --- /dev/null +++ b/java10-shim/src/main/java/org/owasp/shim/Notice.java @@ -0,0 +1,8 @@ +package org.owasp.shim; + +/** + * This bundle has no useful public classes as it serves only to provide an + * implementation class loaded reflectively. See Java8Shim for details. + */ +public class Notice { +} diff --git a/java8-shim/pom.xml b/java8-shim/pom.xml index c414253b..ab0e3f30 100644 --- a/java8-shim/pom.xml +++ b/java8-shim/pom.xml @@ -6,7 +6,7 @@ .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 Java 8 Shim diff --git a/owasp-java-html-sanitizer/pom.xml b/owasp-java-html-sanitizer/pom.xml index 9b9dd8b2..3c9bdf5f 100644 --- a/owasp-java-html-sanitizer/pom.xml +++ b/owasp-java-html-sanitizer/pom.xml @@ -6,7 +6,7 @@ .. com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 OWASP Java HTML Sanitizer diff --git a/pom.xml b/pom.xml index 94bce32c..057850df 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.googlecode.owasp-java-html-sanitizer parent - 20220608.2-SNAPSHOT + 20240325.1 pom