mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 1 | <!DOCTYPE HTML><html><head> |
| 2 | <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> |
| 3 | <title>OWASP Java HTML Sanitizer Change Log</title> |
| 4 | </head> |
| 5 | <body> |
| 6 | <h1>OWASP Java HTML Sanitizer Change Log</h1> |
| 7 | <ol> |
mikesamuel | b02be37 | 2013-05-16 18:46:53 +0000 | [diff] [blame^] | 8 | <li value="173">Fixed bug: tag balancer allowed |
| 9 | <code></p></code> to close a table, so rewrote tag balancer |
| 10 | to recognize scoping elements per HTML5.</li> |
mikesamuel | 99a0c4c | 2013-05-02 21:47:46 +0000 | [diff] [blame] | 11 | <li value="164">Fixed bug: missing bit in HTML schema led to text in |
| 12 | <code><option></code> elements being elided even when |
| 13 | the elements themselves were white-listed.</li> |
mikesamuel | 2d498e4 | 2013-03-27 18:07:55 +0000 | [diff] [blame] | 14 | <li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was |
| 15 | implicitly allowing the <code>a</code> element. Changed this to be |
| 16 | consistent with document: no elements are allowed that do not appear |
| 17 | in a call to <code>allowElements</code>.</li> |
mikesamuel | 79b4c29 | 2012-11-21 00:31:08 +0000 | [diff] [blame] | 18 | <li value="132">Add methods to policy builder to specify which |
| 19 | elements are allowed to contain text and change default to disallow |
| 20 | text in CDATA elements whose content is often not plain text. |
| 21 | If custom element policies that change the element type fail, |
| 22 | make sure the policy allows the output element type.</li> |
mikesamuel | f178a50 | 2012-11-06 16:20:42 +0000 | [diff] [blame] | 23 | <li value="122">Restrict where text-nodes can validly appear in output |
| 24 | per HTML5 rules and changed the tag balancer to do better error |
| 25 | recovery on misplaced phrasing content.</li> |
mikesamuel | 0df9131 | 2012-09-21 22:21:39 +0000 | [diff] [blame] | 26 | <li value="114">Changed rendering to ensure that the output HTML is |
| 27 | valid XML when the policy prohibits |
| 28 | <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text & RCDATA</a> |
| 29 | elements as is almost always the case.</li> |
mikesamuel | c1d75e2 | 2012-05-10 16:40:50 +0000 | [diff] [blame] | 30 | <li value="104">Changed lexer to treat <code><?…></code> |
| 31 | using the HTML5 bogus comment state grammar which agrees with XML's |
| 32 | processing instruction production. Previously, the token ended at |
| 33 | the first <code>"?>"</code> or end-of-file instead of the first |
| 34 | <code>">"</code>.</li> |
mikesamuel | 1f23282 | 2012-03-26 22:15:37 +0000 | [diff] [blame] | 35 | <li value="99">Fixed problem with URL protocol white-listing that |
| 36 | caused legitimate URLs to be rejected.</li> |
mikesamuel | b39e7ef | 2011-11-02 00:36:19 +0000 | [diff] [blame] | 37 | <li value="88">Cleaned up raw-text tag handling. XMP, LISTING, |
| 38 | PLAINTEXT now handled by substitution in the renderer and |
| 39 | changed NOSCRIPT and friends so they are treated consistently |
| 40 | when elided as when present in output. Added workaround for |
| 41 | IE8 innerHTML wierdness.</li> |
mikesamuel | 358e071 | 2011-10-21 16:30:10 +0000 | [diff] [blame] | 42 | <li value="83">Prevent DoS of browsers via extremely deeply nested |
| 43 | tags. In sanitized CSS, allow CSS property |
| 44 | <code>background-color</code> and<code>font-size</code>s specified |
| 45 | in <code>px</code>.</li> |
mikesamuel | 80e7e75 | 2011-10-09 22:23:45 +0000 | [diff] [blame] | 46 | <li value="74">Added convenient pre-packaged policies in Sanitizers. |
| 47 | Fixed bug in how warnings are reported via the badHtml Handler.</li> |
mikesamuel | a362ec3 | 2011-08-17 21:59:50 +0000 | [diff] [blame] | 48 | <li value="50">Better handling of supplementary codepoints to avoid |
mikesamuel | 5d6c732 | 2011-08-17 21:57:54 +0000 | [diff] [blame] | 49 | UTF-16/UCS-2 confusion in browsers.</li> |
mikesamuel | 797b5e2 | 2011-08-10 17:46:28 +0000 | [diff] [blame] | 50 | <li value="48">Added new HTML5 URL attributes to list used to |
| 51 | safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li> |
mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 52 | <li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow |
| 53 | <code>null</code> as a valid value for the HTML snippet.</li> |
| 54 | </ol> |
| 55 | </body></html> |