Home | History | Annotate | Download | only in sanitizer
      1 <!DOCTYPE HTML><html><head>
      2 <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
      3 <title>OWASP Java HTML Sanitizer Change Log</title>
      4 </head>
      5 <body>
      6 <h1>OWASP Java HTML Sanitizer Change Log</h1>
      7 <ol>
      8 <li value="231">Fixed bug: <code>Sanitizers.STYLES.and(...)</code> dropped
      9   <code>style="..."</code> attributes.</li>
     10 <li value="220"><code>allowWithoutAttributes(true)</code> was being ignored for
     11   a subset of elements when policies were ANDED.</li>
     12 <li value="218">Fixed bug: case-sensitivity of URL protocols was ignored
     13   when a set of protocols other than the standard set was used</li>
     14 <li value="209">Reworked <code>CssSchema</code> to allow
     15   users to extend the default property white-list.</li>
     16 <li value="198">Replaced CSS sanitizer with one that does token-level
     17   filtering, and replaces the old CSS lexer that used regular
     18   expressions with one that doesn't back-track, or behave
     19   quadratically on crafted inputs.</li>
     20 <li value="173">Fixed bug: tag balancer allowed
     21   <code>&lt;/p&gt;</code> to close a table, so rewrote tag balancer
     22   to recognize scoping elements per HTML5.</li>
     23 <li value="164">Fixed bug: missing bit in HTML schema led to text in
     24   <code>&lt;option&gt;</code> elements being elided even when
     25   the elements themselves were white-listed.</li>
     26 <li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was
     27   implicitly allowing the <code>a</code> element.  Changed this to be
     28   consistent with document: no elements are allowed that do not appear
     29   in a call to <code>allowElements</code>.</li>
     30 <li value="132">Add methods to policy builder to specify which
     31   elements are allowed to contain text and change default to disallow
     32   text in CDATA elements whose content is often not plain text.
     33   If custom element policies that change the element type fail,
     34   make sure the policy allows the output element type.</li>
     35 <li value="122">Restrict where text-nodes can validly appear in output
     36   per HTML5 rules and changed the tag balancer to do better error
     37   recovery on misplaced phrasing content.</li>
     38 <li value="114">Changed rendering to ensure that the output HTML is
     39   valid XML when the policy prohibits
     40   <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text &amp; RCDATA</a>
     41   elements as is almost always the case.</li>
     42 <li value="104">Changed lexer to treat <code>&lt;?&hellip;&gt;</code>
     43   using the HTML5 bogus comment state grammar which agrees with XML's
     44   processing instruction production.  Previously, the token ended at
     45   the first <code>"?>"</code> or end-of-file instead of the first
     46   <code>">"</code>.</li>
     47 <li value="99">Fixed problem with URL protocol white-listing that
     48   caused legitimate URLs to be rejected.</li>
     49 <li value="88">Cleaned up raw-text tag handling. XMP, LISTING,
     50   PLAINTEXT now handled by substitution in the renderer and
     51   changed NOSCRIPT and friends so they are treated consistently
     52   when elided as when present in output.  Added workaround for
     53   IE8 innerHTML wierdness.</li>
     54 <li value="83">Prevent DoS of browsers via extremely deeply nested
     55   tags.  In sanitized CSS, allow CSS property
     56   <code>background-color</code> and<code>font-size</code>s specified
     57   in <code>px</code>.</li>
     58 <li value="74">Added convenient pre-packaged policies in Sanitizers.
     59   Fixed bug in how warnings are reported via the badHtml Handler.</li>
     60 <li value="50">Better handling of supplementary codepoints to avoid
     61   UTF-16/UCS-2 confusion in browsers.</li>
     62 <li value="48">Added new HTML5 URL attributes to list used to
     63   safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li>
     64 <li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow
     65   <code>null</code> as a valid value for the HTML snippet.</li>
     66 </ol>
     67 </body></html>
     68