mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 1 | <!DOCTYPE HTML><html><head> |
| 2 | <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> |
| 3 | <title>OWASP Java HTML Sanitizer Change Log</title> |
| 4 | </head> |
| 5 | <body> |
| 6 | <h1>OWASP Java HTML Sanitizer Change Log</h1> |
| 7 | <ol> |
mikesamuel | 6908fbb | 2014-05-07 20:24:33 +0000 | [diff] [blame^] | 8 | <li value="231">Fixed bug: <code>Sanitizers.STYLES.and(...)</code> dropped |
| 9 | <code>style="..."</code> attributes.</li> |
mikesamuel | c87a352 | 2014-02-27 23:04:14 +0000 | [diff] [blame] | 10 | <li value="220"><code>allowWithoutAttributes(true)</code> was being ignored for |
| 11 | a subset of elements when policies were ANDED.</li> |
mikesamuel | 6908fbb | 2014-05-07 20:24:33 +0000 | [diff] [blame^] | 12 | <li value="218">Fixed bug: case-sensitivity of URL protocols was ignored |
| 13 | when a set of protocols other than the standard set was used</li> |
mikesamuel | bcceb34 | 2013-09-04 22:41:06 +0000 | [diff] [blame] | 14 | <li value="209">Reworked <code>CssSchema</code> to allow |
mikesamuel | d64cc8c | 2013-09-04 22:33:08 +0000 | [diff] [blame] | 15 | users to extend the default property white-list.</li> |
mikesamuel | 62805f7 | 2013-07-22 18:11:10 +0000 | [diff] [blame] | 16 | <li value="198">Replaced CSS sanitizer with one that does token-level |
| 17 | filtering, and replaces the old CSS lexer that used regular |
| 18 | expressions with one that doesn't back-track, or behave |
| 19 | quadratically on crafted inputs.</li> |
mikesamuel | b02be37 | 2013-05-16 18:46:53 +0000 | [diff] [blame] | 20 | <li value="173">Fixed bug: tag balancer allowed |
| 21 | <code></p></code> to close a table, so rewrote tag balancer |
| 22 | to recognize scoping elements per HTML5.</li> |
mikesamuel | 99a0c4c | 2013-05-02 21:47:46 +0000 | [diff] [blame] | 23 | <li value="164">Fixed bug: missing bit in HTML schema led to text in |
| 24 | <code><option></code> elements being elided even when |
| 25 | the elements themselves were white-listed.</li> |
mikesamuel | 2d498e4 | 2013-03-27 18:07:55 +0000 | [diff] [blame] | 26 | <li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was |
| 27 | implicitly allowing the <code>a</code> element. Changed this to be |
| 28 | consistent with document: no elements are allowed that do not appear |
| 29 | in a call to <code>allowElements</code>.</li> |
mikesamuel | 79b4c29 | 2012-11-21 00:31:08 +0000 | [diff] [blame] | 30 | <li value="132">Add methods to policy builder to specify which |
| 31 | elements are allowed to contain text and change default to disallow |
| 32 | text in CDATA elements whose content is often not plain text. |
| 33 | If custom element policies that change the element type fail, |
| 34 | make sure the policy allows the output element type.</li> |
mikesamuel | f178a50 | 2012-11-06 16:20:42 +0000 | [diff] [blame] | 35 | <li value="122">Restrict where text-nodes can validly appear in output |
| 36 | per HTML5 rules and changed the tag balancer to do better error |
| 37 | recovery on misplaced phrasing content.</li> |
mikesamuel | 0df9131 | 2012-09-21 22:21:39 +0000 | [diff] [blame] | 38 | <li value="114">Changed rendering to ensure that the output HTML is |
| 39 | valid XML when the policy prohibits |
| 40 | <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text & RCDATA</a> |
| 41 | elements as is almost always the case.</li> |
mikesamuel | c1d75e2 | 2012-05-10 16:40:50 +0000 | [diff] [blame] | 42 | <li value="104">Changed lexer to treat <code><?…></code> |
| 43 | using the HTML5 bogus comment state grammar which agrees with XML's |
| 44 | processing instruction production. Previously, the token ended at |
| 45 | the first <code>"?>"</code> or end-of-file instead of the first |
| 46 | <code>">"</code>.</li> |
mikesamuel | 1f23282 | 2012-03-26 22:15:37 +0000 | [diff] [blame] | 47 | <li value="99">Fixed problem with URL protocol white-listing that |
| 48 | caused legitimate URLs to be rejected.</li> |
mikesamuel | b39e7ef | 2011-11-02 00:36:19 +0000 | [diff] [blame] | 49 | <li value="88">Cleaned up raw-text tag handling. XMP, LISTING, |
| 50 | PLAINTEXT now handled by substitution in the renderer and |
| 51 | changed NOSCRIPT and friends so they are treated consistently |
| 52 | when elided as when present in output. Added workaround for |
| 53 | IE8 innerHTML wierdness.</li> |
mikesamuel | 358e071 | 2011-10-21 16:30:10 +0000 | [diff] [blame] | 54 | <li value="83">Prevent DoS of browsers via extremely deeply nested |
| 55 | tags. In sanitized CSS, allow CSS property |
| 56 | <code>background-color</code> and<code>font-size</code>s specified |
| 57 | in <code>px</code>.</li> |
mikesamuel | 80e7e75 | 2011-10-09 22:23:45 +0000 | [diff] [blame] | 58 | <li value="74">Added convenient pre-packaged policies in Sanitizers. |
| 59 | Fixed bug in how warnings are reported via the badHtml Handler.</li> |
mikesamuel | a362ec3 | 2011-08-17 21:59:50 +0000 | [diff] [blame] | 60 | <li value="50">Better handling of supplementary codepoints to avoid |
mikesamuel | 5d6c732 | 2011-08-17 21:57:54 +0000 | [diff] [blame] | 61 | UTF-16/UCS-2 confusion in browsers.</li> |
mikesamuel | 797b5e2 | 2011-08-10 17:46:28 +0000 | [diff] [blame] | 62 | <li value="48">Added new HTML5 URL attributes to list used to |
| 63 | safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li> |
mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 64 | <li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow |
| 65 | <code>null</code> as a valid value for the HTML snippet.</li> |
| 66 | </ol> |
| 67 | </body></html> |