1 <!DOCTYPE HTML><html><head> 2 <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> 3 <title>OWASP Java HTML Sanitizer Change Log</title> 4 </head> 5 <body> 6 <h1>OWASP Java HTML Sanitizer Change Log</h1> 7 <ol> 8 <li value="231">Fixed bug: <code>Sanitizers.STYLES.and(...)</code> dropped 9 <code>style="..."</code> attributes.</li> 10 <li value="220"><code>allowWithoutAttributes(true)</code> was being ignored for 11 a subset of elements when policies were ANDED.</li> 12 <li value="218">Fixed bug: case-sensitivity of URL protocols was ignored 13 when a set of protocols other than the standard set was used</li> 14 <li value="209">Reworked <code>CssSchema</code> to allow 15 users to extend the default property white-list.</li> 16 <li value="198">Replaced CSS sanitizer with one that does token-level 17 filtering, and replaces the old CSS lexer that used regular 18 expressions with one that doesn't back-track, or behave 19 quadratically on crafted inputs.</li> 20 <li value="173">Fixed bug: tag balancer allowed 21 <code></p></code> to close a table, so rewrote tag balancer 22 to recognize scoping elements per HTML5.</li> 23 <li value="164">Fixed bug: missing bit in HTML schema led to text in 24 <code><option></code> elements being elided even when 25 the elements themselves were white-listed.</li> 26 <li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was 27 implicitly allowing the <code>a</code> element. Changed this to be 28 consistent with document: no elements are allowed that do not appear 29 in a call to <code>allowElements</code>.</li> 30 <li value="132">Add methods to policy builder to specify which 31 elements are allowed to contain text and change default to disallow 32 text in CDATA elements whose content is often not plain text. 33 If custom element policies that change the element type fail, 34 make sure the policy allows the output element type.</li> 35 <li value="122">Restrict where text-nodes can validly appear in output 36 per HTML5 rules and changed the tag balancer to do better error 37 recovery on misplaced phrasing content.</li> 38 <li value="114">Changed rendering to ensure that the output HTML is 39 valid XML when the policy prohibits 40 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text & RCDATA</a> 41 elements as is almost always the case.</li> 42 <li value="104">Changed lexer to treat <code><?…></code> 43 using the HTML5 bogus comment state grammar which agrees with XML's 44 processing instruction production. Previously, the token ended at 45 the first <code>"?>"</code> or end-of-file instead of the first 46 <code>">"</code>.</li> 47 <li value="99">Fixed problem with URL protocol white-listing that 48 caused legitimate URLs to be rejected.</li> 49 <li value="88">Cleaned up raw-text tag handling. XMP, LISTING, 50 PLAINTEXT now handled by substitution in the renderer and 51 changed NOSCRIPT and friends so they are treated consistently 52 when elided as when present in output. Added workaround for 53 IE8 innerHTML wierdness.</li> 54 <li value="83">Prevent DoS of browsers via extremely deeply nested 55 tags. In sanitized CSS, allow CSS property 56 <code>background-color</code> and<code>font-size</code>s specified 57 in <code>px</code>.</li> 58 <li value="74">Added convenient pre-packaged policies in Sanitizers. 59 Fixed bug in how warnings are reported via the badHtml Handler.</li> 60 <li value="50">Better handling of supplementary codepoints to avoid 61 UTF-16/UCS-2 confusion in browsers.</li> 62 <li value="48">Added new HTML5 URL attributes to list used to 63 safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li> 64 <li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow 65 <code>null</code> as a valid value for the HTML snippet.</li> 66 </ol> 67 </body></html> 68