• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<!DOCTYPE HTML><html><head>
2<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
3<title>OWASP Java HTML Sanitizer Change Log</title>
4</head>
5<body>
6<h1>OWASP Java HTML Sanitizer Change Log</h1>
7<ol>
8<li value="231">Fixed bug: <code>Sanitizers.STYLES.and(...)</code> dropped
9  <code>style="..."</code> attributes.</li>
10<li value="220"><code>allowWithoutAttributes(true)</code> was being ignored for
11  a subset of elements when policies were ANDED.</li>
12<li value="218">Fixed bug: case-sensitivity of URL protocols was ignored
13  when a set of protocols other than the standard set was used</li>
14<li value="209">Reworked <code>CssSchema</code> to allow
15  users to extend the default property white-list.</li>
16<li value="198">Replaced CSS sanitizer with one that does token-level
17  filtering, and replaces the old CSS lexer that used regular
18  expressions with one that doesn't back-track, or behave
19  quadratically on crafted inputs.</li>
20<li value="173">Fixed bug: tag balancer allowed
21  <code>&lt;/p&gt;</code> to close a table, so rewrote tag balancer
22  to recognize scoping elements per HTML5.</li>
23<li value="164">Fixed bug: missing bit in HTML schema led to text in
24  <code>&lt;option&gt;</code> elements being elided even when
25  the elements themselves were white-listed.</li>
26<li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was
27  implicitly allowing the <code>a</code> element.  Changed this to be
28  consistent with document: no elements are allowed that do not appear
29  in a call to <code>allowElements</code>.</li>
30<li value="132">Add methods to policy builder to specify which
31  elements are allowed to contain text and change default to disallow
32  text in CDATA elements whose content is often not plain text.
33  If custom element policies that change the element type fail,
34  make sure the policy allows the output element type.</li>
35<li value="122">Restrict where text-nodes can validly appear in output
36  per HTML5 rules and changed the tag balancer to do better error
37  recovery on misplaced phrasing content.</li>
38<li value="114">Changed rendering to ensure that the output HTML is
39  valid XML when the policy prohibits
40  <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text &amp; RCDATA</a>
41  elements as is almost always the case.</li>
42<li value="104">Changed lexer to treat <code>&lt;?&hellip;&gt;</code>
43  using the HTML5 bogus comment state grammar which agrees with XML's
44  processing instruction production.  Previously, the token ended at
45  the first <code>"?>"</code> or end-of-file instead of the first
46  <code>">"</code>.</li>
47<li value="99">Fixed problem with URL protocol white-listing that
48  caused legitimate URLs to be rejected.</li>
49<li value="88">Cleaned up raw-text tag handling. XMP, LISTING,
50  PLAINTEXT now handled by substitution in the renderer and
51  changed NOSCRIPT and friends so they are treated consistently
52  when elided as when present in output.  Added workaround for
53  IE8 innerHTML wierdness.</li>
54<li value="83">Prevent DoS of browsers via extremely deeply nested
55  tags.  In sanitized CSS, allow CSS property
56  <code>background-color</code> and<code>font-size</code>s specified
57  in <code>px</code>.</li>
58<li value="74">Added convenient pre-packaged policies in Sanitizers.
59  Fixed bug in how warnings are reported via the badHtml Handler.</li>
60<li value="50">Better handling of supplementary codepoints to avoid
61  UTF-16/UCS-2 confusion in browsers.</li>
62<li value="48">Added new HTML5 URL attributes to list used to
63  safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li>
64<li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow
65  <code>null</code> as a valid value for the HTML snippet.</li>
66</ol>
67</body></html>
68