mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 1 | <!DOCTYPE HTML><html><head> |
| 2 | <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> |
| 3 | <title>OWASP Java HTML Sanitizer Change Log</title> |
| 4 | </head> |
| 5 | <body> |
| 6 | <h1>OWASP Java HTML Sanitizer Change Log</h1> |
| 7 | <ol> |
mikesamuel | d64cc8c | 2013-09-04 22:33:08 +0000 | [diff] [blame^] | 8 | <li value="205">Reworked <code>CssSchema</code> to allow |
| 9 | users to extend the default property white-list.</li> |
mikesamuel | 62805f7 | 2013-07-22 18:11:10 +0000 | [diff] [blame] | 10 | <li value="198">Replaced CSS sanitizer with one that does token-level |
| 11 | filtering, and replaces the old CSS lexer that used regular |
| 12 | expressions with one that doesn't back-track, or behave |
| 13 | quadratically on crafted inputs.</li> |
mikesamuel | b02be37 | 2013-05-16 18:46:53 +0000 | [diff] [blame] | 14 | <li value="173">Fixed bug: tag balancer allowed |
| 15 | <code></p></code> to close a table, so rewrote tag balancer |
| 16 | to recognize scoping elements per HTML5.</li> |
mikesamuel | 99a0c4c | 2013-05-02 21:47:46 +0000 | [diff] [blame] | 17 | <li value="164">Fixed bug: missing bit in HTML schema led to text in |
| 18 | <code><option></code> elements being elided even when |
| 19 | the elements themselves were white-listed.</li> |
mikesamuel | 2d498e4 | 2013-03-27 18:07:55 +0000 | [diff] [blame] | 20 | <li value="161">Fixed bug: <code>requireRelNoFollowOnLinks()</code> was |
| 21 | implicitly allowing the <code>a</code> element. Changed this to be |
| 22 | consistent with document: no elements are allowed that do not appear |
| 23 | in a call to <code>allowElements</code>.</li> |
mikesamuel | 79b4c29 | 2012-11-21 00:31:08 +0000 | [diff] [blame] | 24 | <li value="132">Add methods to policy builder to specify which |
| 25 | elements are allowed to contain text and change default to disallow |
| 26 | text in CDATA elements whose content is often not plain text. |
| 27 | If custom element policies that change the element type fail, |
| 28 | make sure the policy allows the output element type.</li> |
mikesamuel | f178a50 | 2012-11-06 16:20:42 +0000 | [diff] [blame] | 29 | <li value="122">Restrict where text-nodes can validly appear in output |
| 30 | per HTML5 rules and changed the tag balancer to do better error |
| 31 | recovery on misplaced phrasing content.</li> |
mikesamuel | 0df9131 | 2012-09-21 22:21:39 +0000 | [diff] [blame] | 32 | <li value="114">Changed rendering to ensure that the output HTML is |
| 33 | valid XML when the policy prohibits |
| 34 | <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#raw-text-elements">HTML raw text & RCDATA</a> |
| 35 | elements as is almost always the case.</li> |
mikesamuel | c1d75e2 | 2012-05-10 16:40:50 +0000 | [diff] [blame] | 36 | <li value="104">Changed lexer to treat <code><?…></code> |
| 37 | using the HTML5 bogus comment state grammar which agrees with XML's |
| 38 | processing instruction production. Previously, the token ended at |
| 39 | the first <code>"?>"</code> or end-of-file instead of the first |
| 40 | <code>">"</code>.</li> |
mikesamuel | 1f23282 | 2012-03-26 22:15:37 +0000 | [diff] [blame] | 41 | <li value="99">Fixed problem with URL protocol white-listing that |
| 42 | caused legitimate URLs to be rejected.</li> |
mikesamuel | b39e7ef | 2011-11-02 00:36:19 +0000 | [diff] [blame] | 43 | <li value="88">Cleaned up raw-text tag handling. XMP, LISTING, |
| 44 | PLAINTEXT now handled by substitution in the renderer and |
| 45 | changed NOSCRIPT and friends so they are treated consistently |
| 46 | when elided as when present in output. Added workaround for |
| 47 | IE8 innerHTML wierdness.</li> |
mikesamuel | 358e071 | 2011-10-21 16:30:10 +0000 | [diff] [blame] | 48 | <li value="83">Prevent DoS of browsers via extremely deeply nested |
| 49 | tags. In sanitized CSS, allow CSS property |
| 50 | <code>background-color</code> and<code>font-size</code>s specified |
| 51 | in <code>px</code>.</li> |
mikesamuel | 80e7e75 | 2011-10-09 22:23:45 +0000 | [diff] [blame] | 52 | <li value="74">Added convenient pre-packaged policies in Sanitizers. |
| 53 | Fixed bug in how warnings are reported via the badHtml Handler.</li> |
mikesamuel | a362ec3 | 2011-08-17 21:59:50 +0000 | [diff] [blame] | 54 | <li value="50">Better handling of supplementary codepoints to avoid |
mikesamuel | 5d6c732 | 2011-08-17 21:57:54 +0000 | [diff] [blame] | 55 | UTF-16/UCS-2 confusion in browsers.</li> |
mikesamuel | 797b5e2 | 2011-08-10 17:46:28 +0000 | [diff] [blame] | 56 | <li value="48">Added new HTML5 URL attributes to list used to |
| 57 | safeguard URL attributes in <code>HtmlPolicyBuilder</code>.</li> |
mikesamuel | 0416a07 | 2011-08-02 17:12:38 +0000 | [diff] [blame] | 58 | <li value="42">Changed <code>HtmlSanitizer.sanitize</code> to allow |
| 59 | <code>null</code> as a valid value for the HTML snippet.</li> |
| 60 | </ol> |
| 61 | </body></html> |