Upgrade OWASP sanitizer

This upgrades the OWASP sanitizer library to the latest version. Guava is removed from this version. The order of noreferrer, nofollow, noopener is apparently random now, so I had to rewrite those tests to not care about order.
digipost · Apr 15, 2024 · 651c141 · 651c141
1 parent 882c020
commit 651c141
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 18 deletions.
diff --git a/NOTICE b/NOTICE
@@ -12,14 +12,9 @@ specific language governing permissions and limitations
 under the License.
 
 This project includes:
-  Checker Qual under The MIT License
   digipost-html-validator under Apache License, Version 2.0
-  error-prone annotations under Apache 2.0
-  FindBugs-jsr305 under The Apache Software License, Version 2.0
-  Guava InternalFutureFailureAccess and InternalFutures under The Apache Software License, Version 2.0
-  Guava ListenableFuture only under The Apache Software License, Version 2.0
-  Guava: Google Core Libraries for Java under Apache License, Version 2.0
-  J2ObjC Annotations under Apache License, Version 2.0
+  Java 10 Shim under Apache License, Version 2.0
+  Java 8 Shim under Apache License, Version 2.0
   OWASP Java HTML Sanitizer under Apache License, Version 2.0
   SLF4J API Module under MIT License
 
diff --git a/pom.xml b/pom.xml
@@ -38,12 +38,6 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
-            <!-- Override Guava version of owasp-java-html-sanitizer to fix vulnerability -->
-            <dependency>
-                <groupId>com.google.guava</groupId>
-                <artifactId>guava</artifactId>
-                <version>32.1.2-jre</version>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -61,17 +55,17 @@
         <dependency>
             <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
             <artifactId>owasp-java-html-sanitizer</artifactId>
-            <version>20211018.2</version>
+            <version>20240325.1</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.32</version>
+            <version>1.7.36</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.11.0</version>
+            <version>2.16.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>

diff --git a/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java b/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java
@@ -17,6 +17,7 @@
 
 import no.digipost.sanitizing.DigipostValidatingHtmlSanitizer;
 import no.digipost.sanitizing.exception.ValidationException;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -190,13 +191,19 @@ public void skal_tillate_maillenker_uten_target_blank() {
     @Test
     public void skal_bruke_target_blank_på_lenker_ved_andre_targets() {
         String validatedHtml = validator.sanitize("<a href=\"http://example.org\" target=\"_self\">Clicky clicky</a>", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY);
-        assertEquals("<a href=\"http://example.org\" target=\"_blank\" rel=\"nofollow noreferrer noopener\">Clicky clicky</a>", validatedHtml);
+        assertTrue(validatedHtml.contains("target=\"_blank\""));
+        assertTrue(validatedHtml.contains("noopener"));
+        assertTrue(validatedHtml.contains("noreferrer"));
+        assertTrue(validatedHtml.contains("nofollow"));
     }
 
     @Test
     public void skal_legge_på_target_blank_ved_manglende_target() {
         String validatedHtml = validator.sanitize("<a href=\"http://example.org\">Clicky clicky</a>", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY);
-        assertEquals("<a href=\"http://example.org\" target=\"_blank\" rel=\"nofollow noreferrer noopener\">Clicky clicky</a>", validatedHtml);
+        assertTrue(validatedHtml.contains("target=\"_blank\""));
+        assertTrue(validatedHtml.contains("noopener"));
+        assertTrue(validatedHtml.contains("noreferrer"));
+        assertTrue(validatedHtml.contains("nofollow"));
     }
 
     // https://nvd.nist.gov/vuln/detail/CVE-2021-42575