From 651c141f8fbf6484851f94213b3ce260008daf77 Mon Sep 17 00:00:00 2001 From: Mats Byrkjeland Date: Mon, 15 Apr 2024 11:47:09 +0200 Subject: [PATCH] Upgrade OWASP sanitizer This upgrades the OWASP sanitizer library to the latest version. Guava is removed from this version. The order of noreferrer, nofollow, noopener is apparently random now, so I had to rewrite those tests to not care about order. --- NOTICE | 9 ++------- pom.xml | 12 +++--------- .../sanitizing/internal/RichHtmlValidatorTest.java | 11 +++++++++-- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/NOTICE b/NOTICE index 4347c0d..b9a29b1 100644 --- a/NOTICE +++ b/NOTICE @@ -12,14 +12,9 @@ specific language governing permissions and limitations under the License. This project includes: - Checker Qual under The MIT License digipost-html-validator under Apache License, Version 2.0 - error-prone annotations under Apache 2.0 - FindBugs-jsr305 under The Apache Software License, Version 2.0 - Guava InternalFutureFailureAccess and InternalFutures under The Apache Software License, Version 2.0 - Guava ListenableFuture only under The Apache Software License, Version 2.0 - Guava: Google Core Libraries for Java under Apache License, Version 2.0 - J2ObjC Annotations under Apache License, Version 2.0 + Java 10 Shim under Apache License, Version 2.0 + Java 8 Shim under Apache License, Version 2.0 OWASP Java HTML Sanitizer under Apache License, Version 2.0 SLF4J API Module under MIT License diff --git a/pom.xml b/pom.xml index 1049bf1..0cb0556 100644 --- a/pom.xml +++ b/pom.xml @@ -38,12 +38,6 @@ pom import - - - com.google.guava - guava - 32.1.2-jre - @@ -61,17 +55,17 @@ com.googlecode.owasp-java-html-sanitizer owasp-java-html-sanitizer - 20211018.2 + 20240325.1 org.slf4j slf4j-api - 1.7.32 + 1.7.36 commons-io commons-io - 2.11.0 + 2.16.1 test diff --git a/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java b/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java index 480dee3..dad779d 100755 --- a/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java +++ b/src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java @@ -17,6 +17,7 @@ import no.digipost.sanitizing.DigipostValidatingHtmlSanitizer; import no.digipost.sanitizing.exception.ValidationException; +import static org.junit.jupiter.api.Assertions.assertTrue; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -190,13 +191,19 @@ public void skal_tillate_maillenker_uten_target_blank() { @Test public void skal_bruke_target_blank_på_lenker_ved_andre_targets() { String validatedHtml = validator.sanitize("Clicky clicky", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY); - assertEquals("Clicky clicky", validatedHtml); + assertTrue(validatedHtml.contains("target=\"_blank\"")); + assertTrue(validatedHtml.contains("noopener")); + assertTrue(validatedHtml.contains("noreferrer")); + assertTrue(validatedHtml.contains("nofollow")); } @Test public void skal_legge_på_target_blank_ved_manglende_target() { String validatedHtml = validator.sanitize("Clicky clicky", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY); - assertEquals("Clicky clicky", validatedHtml); + assertTrue(validatedHtml.contains("target=\"_blank\"")); + assertTrue(validatedHtml.contains("noopener")); + assertTrue(validatedHtml.contains("noreferrer")); + assertTrue(validatedHtml.contains("nofollow")); } // https://nvd.nist.gov/vuln/detail/CVE-2021-42575