• Home
  • History
  • Annotate
  • only in /external/owasp/sanitizer/src/main/org/
History log of /external/owasp/sanitizer/src/main/org/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
550c8d3230c152db7156b266d089512b72ac0024 07-May-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fixed shift underflow bug in interElementWhitespace checking.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@231 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
9c0798e090ee7db347657ed2b8604ce26fbe74d1 06-May-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> issue 28: fix Sanitizer.STYLES by changing PolicyFactory to store globals and apply its globals to the other factory when combining PolicyFactories via PolicyFactory.and

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@229 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
d86290faea7165946969d0052b1244d87f2139bb 06-May-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Recognize that <basefont> is an empty element

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@228 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
299511715e3425b6525aa34332610e41975e77b2 27-Feb-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed findbugs warning about missing default

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@221 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
e5d1831401c6302339a6902f790d7c133f8a4b55 27-Feb-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed issue 23 : ANDing two policies was confused by allowWithoutAttributes overrides of elements like <img>,<a>,<span> that are by-default dropped without elements

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@220 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicies.java
7d0755627f174ec9d5f148bd9fa3a5cc732edb3f 27-Feb-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fix issue 24: protocol whitelisting not case-insensitive

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@218 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/FilterUrlByProtocolAttributePolicy.java
36633f880daebe2d5a3360ebfe57df5bd4a6e53a 27-Feb-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added possessive quantifier to OFFSITE_URL regex to address issue https://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=25

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@217 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
fad0ad7c601b441c699c817a778d1e4ea51fa8f5 27-Feb-2014 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> add srcset attribute to the list of URL attributes

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@216 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
29485df1063d171e17769b5ad55128abb979a846 28-Oct-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed year in file header. Damn file headers and cargo-cult lawyering.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@214 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
aab0cbeeb7abb201e1ed154fd1db4e4846e51692 28-Oct-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> unit tests for UrlTextExample

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@213 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
9527772b09c52dc9adbf1624bd150f4d8e826153 28-Oct-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixes for UrlTextExample

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@212 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
wasp/html/examples/UrlTextExample.java
1834ad78fccdbe09c0fec7a79f854fda8b9a6fcd 28-Oct-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> an example that explains how to use event receivers to annotate links and images

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@211 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
8ee01758dfc6f9871c2d4da44b4ce106c6be8020 05-Sep-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> reworked the public API of CssSchema to allow clients to white-list further properties per https://groups.google.com/forum/#!topic/owasp-java-html-sanitizer-support/ZFxMMOh8dyk

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@205 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
a1b4378ade2caa7a029abba418a37ed7b94e7a7f 04-Sep-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> warning cleanup : field hiding

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@203 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
ce5bde40e2e126de05105f09f1f965a5c70aaa94 22-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> cosmetic fixes to source code : line wrapping and comments

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@198 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
wasp/html/Encoding.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/Sanitizers.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
1af054935066ae9db1476bef96ff224410edb1f4 22-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> refactored CssSchema to distinguish between a schema, a collection of property filters, and the properties themselves which are now instances of an inner class. Added code to the policy builder to allow a styling policy to be created with a custom schema.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@197 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/StylingPolicy.java
5d249f1bf7938bbba10d2cbfdeb159220a6ea16c 21-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> wrote a fuzzer for the CSS lexer to tease out token merging and misclassification problems by throwing tons of random inputs at the lexer and checking overall properties like termination, idempotence, and pattern matching each output token.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@195 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
aaf3076dbab1d3484717a87085e27ec21c7217d1 21-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added main method to CssSchema to make reviewing the white-list easier

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@194 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
adf65fa8048eaf04e12e2b36e3ad9a78429ce96b 18-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> cleanup and deduping schema

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@193 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
8a521140d4f962a2c91e12026ea61a5511b17bd2 18-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fleshed out CSS lexer tests, added handling for line continuations in strings, and stripped out debugging cruft

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@192 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
6afee9b02bc894e2f91eec3ac2e7e9c0c30c2878 18-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> clean up debugging cruft and IDE warnings

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@190 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
b268f8745b09a77af2e8c77ffd376b6459bf4fec 18-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> rewrite the CSS sanitizer to do token-level filtering

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@188 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
f8bc9acbd49eb8d97767129862426a9c865247ef 18-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> a table of CSS properties and the tokens allowed in their values derived from the Caja white-lists

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@187 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
5e810f7ffa3dc2f6baefc762abd7e4ad31a640cb 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> remove debugging cruft and only treat properly lengthed hash literals as unrestricted

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@186 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
9f3ae6ac5732a614eb965a97f3d47d7acc21e98b 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed token merging of unicode ranges and differentiate quantities with known suffices from those without

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@185 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
195fd71a25612b7c24d4f46b3596cc27d0a1bdb0 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fleshed out tests for new CSS lexer

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@182 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/CssTokens.java
87a0aa3f3a06733ee76e249e957f0b8aaf7b2565 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> debugged bracket indices and fixed bugs in space allocation on unclosed bracket pairs at end of input and in the mapping from close-brackets to their partners

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@181 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
b600c3cd7edfb02d79c264fd83b1306e94053b7e 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> REGRESSION RISK: replace CSS lexer based on regular expressions with one that does not backtrack or left-recurse. This new code has not yet been thorougly tested. Fuzzing and hardening will happen in follow-on CLs but it is not yet suitable for stable.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@180 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/CssTokens.java
wasp/html/StylingPolicy.java
4a4eface066ace45d8220fdaad0ab0cfd7c4cc29 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fix typo in documentation

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@179 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
be666032a113a8af92bc557add8e83579cf0ef5c 17-Jul-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> cleanup IDE warnings about methods that could be static

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@178 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlLexer.java
dce9ad7d3bd7d17abd3f707ba8cd381fa8a4d539 10-Jun-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> box model handling for styles

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@176 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/StylingPolicy.java
783908cf042927b900d42383d30ec1fb8ee83d1f 16-May-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed tag balancer so that implicit end tags are not generated for scope-introducing elements like tables and list items when a close tag ought to be restricted to an element within that scope

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@173 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
0ca1e3cb72745696510f7b23dc0998cc001b9c00 16-May-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> unused import

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@171 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
4c1e3417997042b0b485cbf71344a0210dfaba04 24-Apr-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> modify the HTML schema in TagBalancingHtmlStreamEventReceiver to make sure character data is allowed in option elemens

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@163 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
6ca215a0c4ddbbf4f6528df5d0e6ba2009d564cd 27-Mar-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed minor bug in EbayPolicyExample which exposed a bug in requireRelNofFollowOnLinks that was half-heartedly allowing links

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@161 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
wasp/html/examples/EbayPolicyExample.java
489a0ec7301a86af8497d24748336db09ca278da 26-Feb-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> upgraded to most recent version of findbugs

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@155 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/PolicyFactory.java
c517d7c6cadcd8643d565783464a2728be8c08d9 12-Feb-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> instead of creating <font> elements when sanitizing CSS, just do a better job of white-listing and sanitizing font faces, sizes, and alignment. This fixes problems whereby font elements were being introduced into tables but outside the table cells they were meant to style and which can legally contain them

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@147 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
0904bd6638ced4212ff03eccce948a1d4b6f0992 12-Feb-2013 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> commented out unused function

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@144 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
79b4c29af1261d95c663bdf0003b70cb0eb8000e 21-Nov-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added methods to the policy builder to specify which elements are allowed to contain text. By default text is allowed in any allowed element that can contain normal flow or block content, but disallowed in CDATA elements like <iframe>.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@132 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
63dba946a9a0b3af438ca08b6824e653e5ca58c5 06-Nov-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added restrictions to the TagBalancingHtmlStreamEventReceiver so non-whitespace text nodes can only appear where phrasing content, flow content, or regular character data are allowed. This means that an <li> is added around "two" in <ul><li>one</li>two</ul>. changed to tag balancer to also recognize that </h3> and friends close any open header.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@122 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
1ecbdce5dd203e7aca2b93650ca3afce17dbc095 23-Oct-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fix issue 7: misnested lists. Changes tag balancer to insert block container elements when a block or flow content element is seen in a context where block and flow elements are disallowed.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@121 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
0df9131f7be5c0f90ce70d43b7e4239a6a6df016 22-Sep-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> changed rendering to ensure that the output HTML is always valid XML when the policy prohibits HTML raw text & RCDATA elements

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@114 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Encoding.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamRenderer.java
d687f1e3b48d511bc22f04c38931b9351846ac88 01-Aug-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added intrustion detection version of PolicyFactory.sanitize

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@112 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/PolicyFactory.java
68c898cc07aad9e4c616522afdd13a0cc4534117 01-Aug-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added convenience APIs for intrusion detection hooks

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@110 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlChangeListener.java
wasp/html/HtmlChangeReporter.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/PolicyFactory.java
6f2fc048ffc4ada68fabb389eb3f409229625b90 01-Aug-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added an interstitial layer that can report dropped tags and attributes to an intrusion detection system

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@109 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlChangeListener.java
wasp/html/HtmlChangeReporter.java
c9415e2bae5ddb7887d87a6e38a4d3074dfb320b 11-May-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed typo in comment

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@106 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTokenType.java
d78e82dfc7da9c1e4ad8e4199bc375089a799c85 10-May-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Tweak lexer token grammar to handle XML prologues, processing instructions and HTML5 bogus comments properly. HTML5 transitions into a bogus comment state on seeing "<?" from a data state and ends at the first ">" or end of file token seen. XML Processing instructions and XML Prologues are both subsets of this production. This changes the lexer to use that grammar instead of ending at "?>" or end of file which handles comments that Outlook puts in HTML copied from an email. The lexer is not in the TCB so this change is low risk.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@104 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlLexer.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlTokenType.java
e7e78dd647a336268098d3438acc27ff4fcf0322 26-Mar-2012 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fix issue 5: protocol filtering failed to match the proper substring against the allowed protocol set.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@99 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/FilterUrlByProtocolAttributePolicy.java
b530bfd7496ead9ab962726781dd90b6c739cdce 02-Nov-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Rework handling of raw-text elements to avoid browser confusion

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@87 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
1bfae835221847e7791625e2baa98a60eb3cfa8a 26-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fix IE8 innerHTML issue

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@86 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlLexer.java
wasp/html/HtmlStreamRenderer.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
5b7822ad25b5ebd8bc2733b914215e6189a785cc 19-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> reworked color handling in StylingPolicy to allow background and to only ever output #hex colors

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@83 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
40d8af71b50230379c385b3ad9aa36034a0761eb 19-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> allow font sizes to be specified in pixels

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@82 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
d702e7e7fd237420e6b22b93a02ec5996c88d2ea 19-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fixed initialization error in example and added test to make sure the examples run

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@81 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
4d17cd9ce55e109898d50a4e54f01838f3cb93dc 19-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> adjusted document depth limit based on default from WebCore

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@80 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
3f54e49f2181c52ca40d99fbe738b2484ba91528 14-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fix issue 3: "Deeply nested elements crash FF 8, Chrome 11" by not emitting any tokens from TagBalancingHtmlStreamEventReceiver when the open element stack exceeds a nestingLimit. This limit is 128 based on some data on table nesting levels seen in the wild by Opera but I am continuing to look for info about the distribution of actual nesting depth for documents in the wild.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@79 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
6434d0d4455c4afb38b7c9c58c4ad844fb761a3f 09-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> more javadoc fixes

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@74 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Sanitizers.java
d7c2f9f6c741b83b880ad878269d18ceb1af1d4a 09-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> fixed javadoc

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@73 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Sanitizers.java
38bb37b955601261fd8945ee22aa09ac30d29298 09-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added Sanitizers class with prepackage policies, extracted the policy implementation from HtmlPolicyBuilder and extended it with convenience methods sanitize(String) and and(..) which allows composition of built policy factories.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@71 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicies.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/Sanitizers.java
6691ce1a99dafc59640caa4a32dba505ceebe8ca 09-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Updated list of void HTML elements

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@70 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
f27efcbb0ed6810cb608024c6430338fe5f32bb7 09-Oct-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fixed bug: badHtmlHandler not receiving output when ioHandler is defanged

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@69 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
dc2e862837c475f690846ad4ffc56f7e262f587a 16-Sep-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Tweaked whitespace

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@65 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
756bebfa2515fd06f4e1b2ba8102e40765d47a8c 16-Sep-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Rework regular expressions in EbayPolicyExample to not capture unnecessary content, and to not backtrack on invalid inputs. Other minor fixes to spelling and . exclusion.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@64 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
f1c88874989dbe1ca93dcfa51be543138e00f0ae 17-Aug-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Changed HtmlStreamRenderer to encode supplemental codepoints as HTML numeric entities to avoid UTF-16/UCS-2 confusion in the browser, and to avoid having Java UTF-8 encode individual surrogates instead of using the longer UTF-8 encoded forms.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@50 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
2c68185eb1bcaaeb0d1e5991b7795b1d2859b7ee 10-Aug-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added new HTML5 URL attributes to the list of URL attributes that are guarded by the URL safeguards in HtmlPolicyBuilder.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@48 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
75d905c90100b9b05602b1878f847142e39836aa 02-Aug-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Simplified null parameter handling in HtmlSanitizer.sanitize to present a consistently non-null html parameter to the whole function body. If html is null, the loop will be entered but there's no need to confuse the JIT with calls to substring on a value that's been checked for null earlier in the method.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@47 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
ee7fe14ffd97ab25e70f4403c56e5637f4239b9d 02-Aug-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Changed HtmlSanitizer.sanitize to allow a null string of HTML as input.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@42 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
c4058d94a0e30de4532c65c0ec4a1ffd6d6ba26e 19-Jun-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Commented example policies

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@41 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
wasp/html/examples/SlashdotPolicyExample.java
109b24565d3eb95a54ad9df8de2aa8c81bd32a24 08-Apr-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fleshed out styling policy with some of the most popular CSS properties from http://triin.net/2006/06/12/CSS

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@30 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
5a047cbf3149f42b3e3309b1785ed0dc05d21ad4 05-Apr-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added a fuzzer for the HTML sanitizer and fixed a bug it exposed in numeric entity decoding.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@29 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
f06f9a5ed2a3dfd88320a8ad14ae1c032c6a80cf 05-Apr-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added a fuzzer test that checks that the parser is not in the TCB.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@28 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Handler.java
wasp/html/HtmlStreamRenderer.java
8560af5e2982092cb27cce62aa9cfa5bb45ea387 05-Apr-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Fixed CDATA rendering

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@27 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/Strings.java
846d5d0377617bd20ac271a486f07bfe757cc7a2 26-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> refactor HtmlPolicyBuilder so allowAttribute calls can be applied to multiple elements and so that element name and attribute names are supplied unambiguously in the order the name implies.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@26 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/examples/EbayPolicyExample.java
wasp/html/examples/SlashdotPolicyExample.java
b0d421ae1ad4fc51c126d40ec8ef153023f63454 23-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> tweaked

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@25 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
6f896a5158f6ca5af94e9e66c2ed75731bd655a3 23-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> EBay policy example derived from antisamy

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@24 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
503b46e93244882d239e206a1feef2652838fa2b 23-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added text-decoration support to styling policy

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@23 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
04fec67bccd1004fba68e662ba9709747aa65d30 11-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Added an example to mirror the AntiSamy slashdot use case

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@22 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/examples/SlashdotPolicyExample.java
27b4be957534ebb90e21ac8d31bf722e4c9273bf 10-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Wrote a tag balancer that correctly handles containment relationships.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@20 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
6d8c2e9241d042a3e0bff40dac4c388966ad060c 10-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> comment cleanup and added target to Makefile to run tests

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@18 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlTokenType.java
wasp/html/Trie.java
a35e496e40710c4561f2fc40c59e4b84cd1c5ec8 09-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> comments

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@13 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
2d52178a7565106586e4fd00e8f433e956859abe 09-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> javadoc fixup

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@12 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
8403881c365ab36b721ccc4500af1b3a5bd25870 09-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> added license headers and a license.txt file

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@10 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/CssGrammar.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlToken.java
wasp/html/HtmlTokenType.java
wasp/html/StandardUrlAttributePolicy.java
wasp/html/Strings.java
wasp/html/StylingPolicy.java
wasp/html/TCB.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java
4e867904c8295537803c1c8a076e130df5674b58 09-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Revamped to use a policy builder pattern instead of requiring people to write their own policies.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@9 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/CssGrammar.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlTokenType.java
wasp/html/ParseException.java
wasp/html/StandardUrlAttributePolicy.java
wasp/html/Strings.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java
0f3a7565157c70edb1935f04888fdc0407397fab 02-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> test and Makefile cleanup

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@7 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
wasp/html/HtmlStreamRenderer.java
3a3d912deec6a8382422b602031d12fee7d4c73a 02-Mar-2011 mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> Updated Makefile to build using the version 1.5 class file version and got rid of compiler warnings.

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@6 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/ParseException.java
5c702c12be71d8070da9287cc4a044617dd726a7 01-Mar-2011 manico.james@gmail.com <manico.james@gmail.com@ad8eed46-c659-4a31-e19d-951d88f54425> Mike Samuels donation to OWASP

git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@2 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlToken.java
wasp/html/HtmlTokenType.java
wasp/html/ParseException.java
wasp/html/Strings.java
wasp/html/TCB.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java