|
$ git log -n 20 --format=full --stat |
|
|
|
commit 659ab22922de7597793971fc90a5313e41f6538f |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
add test for XSS from twitter |
|
|
|
src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java | 17 +++++++++++++++++ |
|
1 file changed, 17 insertions(+) |
|
|
|
commit e4eff4f8e995ad13c1f33b477443b544e8afa97b |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
documented |
|
|
|
src/main/java/org/owasp/html/HtmlChangeListener.java | 9 +++++++++ |
|
src/main/java/org/owasp/html/HtmlChangeReporter.java | 2 +- |
|
2 files changed, 10 insertions(+), 1 deletion(-) |
|
|
|
commit 778d5c26b88ff07812021376f18f1fbe9bc5a381 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
test previously untested global policy merging code in PolicyFactory |
|
|
|
.../java/org/owasp/html/PolicyFactoryTest.java | 223 +++++++++++++++++++++ |
|
1 file changed, 223 insertions(+) |
|
|
|
commit c983b9c0e1d685d832890df187f564dc4b15af04 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Fixed bug: srcset element joining missing space. |
|
|
|
The string |
|
|
|
/url1, /url2, /url3 |
|
|
|
have two invalid URLs since the comma attaches to the URL. |
|
|
|
When there is no metadata this should be rendered |
|
|
|
/url1 , /url2 , /url3 |
|
|
|
In practice this doesn't matter for non-malicious code |
|
since the only URL that has no metadata should be the last, |
|
fallback URL; and there's no attack scenario where appending |
|
a comma to the end of an attacker controlled URL helps the |
|
attacker. |
|
|
|
This commit uses " , " to separate URL&metadata pairs in |
|
srcset attributes. |
|
|
|
It also adds tests for corner cases of the srcset parser and |
|
valid floating point number parser. |
|
|
|
.../java/org/owasp/html/SrcsetAttributePolicy.java | 2 +- |
|
src/main/java/org/owasp/html/Strings.java | 19 +++++--- |
|
.../java/org/owasp/html/HtmlPolicyBuilderTest.java | 18 +++++--- |
|
src/test/java/org/owasp/html/StringsTest.java | 50 ++++++++++++++++++++++ |
|
4 files changed, 76 insertions(+), 13 deletions(-) |
|
|
|
commit 3ec5c201a334f924e340a260e11c4a49f31b2406 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Bumped dev version |
|
|
|
aggregate/pom.xml | 4 ++-- |
|
empiricism/pom.xml | 4 ++-- |
|
html-types/pom.xml | 4 ++-- |
|
parent/pom.xml | 2 +- |
|
pom.xml | 2 +- |
|
5 files changed, 8 insertions(+), 8 deletions(-) |
|
|
|
commit b7b4f42eed467bc4bcc9745662853e1c614b5d4f |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Release candidate 20190325.1 |
|
|
|
README.md | 6 +++--- |
|
aggregate/pom.xml | 4 ++-- |
|
change_log.md | 2 +- |
|
docs/getting_started.md | 10 +++++----- |
|
docs/maven.md | 2 +- |
|
empiricism/pom.xml | 4 ++-- |
|
html-types/pom.xml | 4 ++-- |
|
parent/pom.xml | 2 +- |
|
pom.xml | 2 +- |
|
9 files changed, 18 insertions(+), 18 deletions(-) |
|
|
|
commit 72abb6c9f018f4d5096bfe32cc2893e79a3a35b2 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Delete lib/** |
|
|
|
Prior to moving to `mvn` for building, the lib directory collected |
|
dependencies. |
|
|
|
Fixes #160 |
|
|
|
lib/commons-codec-1.4/LICENSE.txt | 202 -- |
|
lib/commons-codec-1.4/NOTICE.txt | 14 - |
|
lib/commons-codec-1.4/RELEASE-NOTES.txt | 57 - |
|
lib/commons-codec-1.4/commons-codec-1.4.jar | Bin 58160 -> 0 bytes |
|
lib/guava-libraries/COPYING | 202 -- |
|
lib/guava-libraries/README | 46 - |
|
lib/guava-libraries/VERSION | 5 - |
|
lib/guava-libraries/guava-src.jar | Bin 943695 -> 0 bytes |
|
lib/guava-libraries/guava.jar | Bin 1648200 -> 0 bytes |
|
lib/htmlparser-1.3/LICENSE.txt | 96 - |
|
lib/htmlparser-1.3/README.txt | 5 - |
|
lib/htmlparser-1.3/doc/README | 15 - |
|
.../doc/named-character-references.html | 4 - |
|
lib/htmlparser-1.3/doc/tokenization.txt | 1147 ---------- |
|
lib/htmlparser-1.3/doc/tree-construction.txt | 2201 -------------------- |
|
.../htmlparser-1.3-with-transitions.jar | Bin 430989 -> 0 bytes |
|
lib/htmlparser-1.3/htmlparser-1.3.jar | Bin 430979 -> 0 bytes |
|
lib/jsr305/COPYING | 11 - |
|
lib/jsr305/jsr305.jar | Bin 33036 -> 0 bytes |
|
lib/junit/README.html | 672 ------ |
|
lib/junit/VERSION | 1 - |
|
lib/junit/cpl-v10.html | 125 -- |
|
lib/junit/junit-dep.jar | Bin 217975 -> 0 bytes |
|
lib/junit/junit-src.jar | Bin 130755 -> 0 bytes |
|
lib/junit/junit.jar | Bin 237047 -> 0 bytes |
|
25 files changed, 4803 deletions(-) |
|
|
|
commit 2ca428433034a349761eff03e84bbd9b763b4dcc |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Properly parse srcset attributes |
|
|
|
Fixes issue #112 |
|
|
|
Previously, extra URL handling for `src`, `href` and related attributes |
|
was naively applied to `srcset`. |
|
|
|
This failed safe but mangled content. |
|
|
|
I consolidated (in a previous commit) the code that ensures that URL and `style` |
|
attributes have extra checks done: the global URL and style policies |
|
respectively. |
|
|
|
This commit adds special handling for srcset which uses the global URL policy |
|
to vet each URL policy and leaves the metadata portion alone. |
|
|
|
Commas in the middle of URLs in a `srcset` value will be escaped to `%2c`. |
|
|
|
change_log.md | 2 + |
|
.../java/org/owasp/html/HtmlPolicyBuilder.java | 10 +- |
|
.../java/org/owasp/html/SrcsetAttributePolicy.java | 134 +++++++++++++++++++++ |
|
src/main/java/org/owasp/html/Strings.java | 81 +++++++++++++ |
|
.../java/org/owasp/html/HtmlPolicyBuilderTest.java | 76 ++++++++++++ |
|
5 files changed, 302 insertions(+), 1 deletion(-) |
|
|
|
commit 6557bfb86363fd9ad77ce96b9c6a7f432e63dea0 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
cleanup uses of deprecated Guava APIs |
|
|
|
src/main/java/org/owasp/html/AutoCloseableHtmlStreamRenderer.java | 6 +++--- |
|
src/main/java/org/owasp/html/Handler.java | 8 +++++--- |
|
src/main/java/org/owasp/html/examples/EbayPolicyExample.java | 6 +++--- |
|
src/main/java/org/owasp/html/examples/SlashdotPolicyExample.java | 4 ++-- |
|
src/test/java/org/owasp/html/Benchmark.java | 2 +- |
|
src/test/java/org/owasp/html/ExamplesTest.java | 8 +++++--- |
|
src/test/java/org/owasp/html/HtmlSanitizerFuzzerTest.java | 7 +++++-- |
|
7 files changed, 24 insertions(+), 17 deletions(-) |
|
|
|
commit 3be8d576f718c9a582a232d00af2ebfe92da2289 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
consolidate special attribute handling code in preparation for srcset support |
|
|
|
.../java/org/owasp/html/HtmlPolicyBuilder.java | 152 +++++++++++++-------- |
|
1 file changed, 95 insertions(+), 57 deletions(-) |
|
|
|
commit eaa97f11cbb5e098e278b40e6c76836f7c729d8a |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
note on guava version change |
|
|
|
change_log.md | 5 +++++ |
|
1 file changed, 5 insertions(+) |
|
|
|
commit 2ae734d840b9a3f8a9ed43c83ea2901e22a26a5f |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
remove single digit major version assumption |
|
|
|
scripts/build_for_travis.sh | 3 ++- |
|
1 file changed, 2 insertions(+), 1 deletion(-) |
|
|
|
commit 5c4da34c1725cc18fface815877f9689e870cc86 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
use mvn install in script/build_for_travis.sh instead of using the Travis mvn default |
|
|
|
.travis.yml | 1 + |
|
1 file changed, 1 insertion(+) |
|
|
|
commit e1790de136c3a8564188fa70a8273c975a3295ad |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Debug Travis CI build |
|
|
|
Make sure javadoc builds on JDK11. |
|
Add some trace to figure out why local jdk7 build differs from TRAVIS. |
|
|
|
Pin a modern protobuf version since there was an out of bounds decoder CVE |
|
in trusted-types/pom.xml. |
|
|
|
parent/pom.xml | 13 +++++++++++++ |
|
scripts/build_for_travis.sh | 3 ++- |
|
2 files changed, 15 insertions(+), 1 deletion(-) |
|
|
|
commit 4b35ba040a52e11cd719acaa9ac1f101f9fac32d |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Travis deprecated oraclejdk10. Use openjdk10 instead |
|
|
|
.travis.yml | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
commit 712b400aca9efbab77973f04ba600a1cfa36e595 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Fix CI build scripts that pick flags appropriate to each JDK |
|
|
|
.travis.yml | 6 ++---- |
|
scripts/build_for_travis.sh | 26 +++++++++++++++++++++----- |
|
2 files changed, 23 insertions(+), 9 deletions(-) |
|
|
|
commit a50feb294871f00b4f72b74ea44f850d38df7fb9 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
document explicit plugin dependency |
|
|
|
parent/pom.xml | 1 + |
|
1 file changed, 1 insertion(+) |
|
|
|
commit af88a5cf415a24def22f3438f76753b0ed03a42d |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
run dependency audit pre-release and in CI |
|
|
|
RELEASE-checklist.sh | 1 + |
|
scripts/build_for_travis.sh | 3 ++- |
|
2 files changed, 3 insertions(+), 1 deletion(-) |
|
|
|
commit a1dd006133971008ec8b3a6654e54f1547d482a5 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
Update guava.version to 27.1 |
|
|
|
https://github.com/OWASP/java-html-sanitizer/issues/162 identifies a |
|
problem with depending on older guava versions. |
|
|
|
https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0 |
|
affects Guava < 24.1. |
|
|
|
This does not directly affect the sanitizer but could allow denial of |
|
service of clients. |
|
|
|
Clients that require older JDKs should use `-Dguava.version=` with `mvn` |
|
to specify a version of their choice or add to their POM's `<properties>` |
|
element |
|
|
|
```xml |
|
<guava.version>123.1</guava.version> |
|
``` |
|
|
|
parent/pom.xml | 12 ++++++++++-- |
|
scripts/build_for_travis.sh | 4 ++-- |
|
2 files changed, 12 insertions(+), 4 deletions(-) |
|
|
|
commit 36687a426e65a0ac024928ce825d4da0f8beae14 |
|
Author: Mike Samuel <mikesamuel@gmail.com> |
|
Commit: Mike Samuel <mikesamuel@gmail.com> |
|
|
|
run travis w/ Java versions 10,11 |
|
|
|
.travis.yml | 2 ++ |
|
1 file changed, 2 insertions(+) |