550c8d3230c152db7156b266d089512b72ac0024 |
07-May-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fixed shift underflow bug in interElementWhitespace checking. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@231 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
9c0798e090ee7db347657ed2b8604ce26fbe74d1 |
06-May-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
issue 28: fix Sanitizer.STYLES by changing PolicyFactory to store globals and apply its globals to the other factory when combining PolicyFactories via PolicyFactory.and git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@229 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
|
d86290faea7165946969d0052b1244d87f2139bb |
06-May-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Recognize that <basefont> is an empty element git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@228 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
|
299511715e3425b6525aa34332610e41975e77b2 |
27-Feb-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed findbugs warning about missing default git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@221 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
|
e5d1831401c6302339a6902f790d7c133f8a4b55 |
27-Feb-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed issue 23 : ANDing two policies was confused by allowWithoutAttributes overrides of elements like <img>,<a>,<span> that are by-default dropped without elements git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@220 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicies.java
|
7d0755627f174ec9d5f148bd9fa3a5cc732edb3f |
27-Feb-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fix issue 24: protocol whitelisting not case-insensitive git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@218 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/FilterUrlByProtocolAttributePolicy.java
|
36633f880daebe2d5a3360ebfe57df5bd4a6e53a |
27-Feb-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added possessive quantifier to OFFSITE_URL regex to address issue https://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=25 git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@217 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
fad0ad7c601b441c699c817a778d1e4ea51fa8f5 |
27-Feb-2014 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
add srcset attribute to the list of URL attributes git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@216 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
|
29485df1063d171e17769b5ad55128abb979a846 |
28-Oct-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed year in file header. Damn file headers and cargo-cult lawyering. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@214 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
|
aab0cbeeb7abb201e1ed154fd1db4e4846e51692 |
28-Oct-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
unit tests for UrlTextExample git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@213 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
|
9527772b09c52dc9adbf1624bd150f4d8e826153 |
28-Oct-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixes for UrlTextExample git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@212 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
wasp/html/examples/UrlTextExample.java
|
1834ad78fccdbe09c0fec7a79f854fda8b9a6fcd |
28-Oct-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
an example that explains how to use event receivers to annotate links and images git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@211 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/UrlTextExample.java
|
8ee01758dfc6f9871c2d4da44b4ce106c6be8020 |
05-Sep-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
reworked the public API of CssSchema to allow clients to white-list further properties per https://groups.google.com/forum/#!topic/owasp-java-html-sanitizer-support/ZFxMMOh8dyk git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@205 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
|
a1b4378ade2caa7a029abba418a37ed7b94e7a7f |
04-Sep-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
warning cleanup : field hiding git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@203 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
ce5bde40e2e126de05105f09f1f965a5c70aaa94 |
22-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
cosmetic fixes to source code : line wrapping and comments git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@198 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
wasp/html/Encoding.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/Sanitizers.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
1af054935066ae9db1476bef96ff224410edb1f4 |
22-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
refactored CssSchema to distinguish between a schema, a collection of property filters, and the properties themselves which are now instances of an inner class. Added code to the policy builder to allow a styling policy to be created with a custom schema. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@197 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/StylingPolicy.java
|
5d249f1bf7938bbba10d2cbfdeb159220a6ea16c |
21-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
wrote a fuzzer for the CSS lexer to tease out token merging and misclassification problems by throwing tons of random inputs at the lexer and checking overall properties like termination, idempotence, and pattern matching each output token. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@195 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
|
aaf3076dbab1d3484717a87085e27ec21c7217d1 |
21-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added main method to CssSchema to make reviewing the white-list easier git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@194 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
|
adf65fa8048eaf04e12e2b36e3ad9a78429ce96b |
18-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
cleanup and deduping schema git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@193 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
|
8a521140d4f962a2c91e12026ea61a5511b17bd2 |
18-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fleshed out CSS lexer tests, added handling for line continuations in strings, and stripped out debugging cruft git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@192 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
|
6afee9b02bc894e2f91eec3ac2e7e9c0c30c2878 |
18-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
clean up debugging cruft and IDE warnings git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@190 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
|
b268f8745b09a77af2e8c77ffd376b6459bf4fec |
18-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
rewrite the CSS sanitizer to do token-level filtering git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@188 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
f8bc9acbd49eb8d97767129862426a9c865247ef |
18-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
a table of CSS properties and the tokens allowed in their values derived from the Caja white-lists git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@187 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssSchema.java
|
5e810f7ffa3dc2f6baefc762abd7e4ad31a640cb |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
remove debugging cruft and only treat properly lengthed hash literals as unrestricted git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@186 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
|
9f3ae6ac5732a614eb965a97f3d47d7acc21e98b |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed token merging of unicode ranges and differentiate quantities with known suffices from those without git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@185 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
|
195fd71a25612b7c24d4f46b3596cc27d0a1bdb0 |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fleshed out tests for new CSS lexer git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@182 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/CssTokens.java
|
87a0aa3f3a06733ee76e249e957f0b8aaf7b2565 |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
debugged bracket indices and fixed bugs in space allocation on unclosed bracket pairs at end of input and in the mapping from close-brackets to their partners git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@181 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssTokens.java
|
b600c3cd7edfb02d79c264fd83b1306e94053b7e |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
REGRESSION RISK: replace CSS lexer based on regular expressions with one that does not backtrack or left-recurse. This new code has not yet been thorougly tested. Fuzzing and hardening will happen in follow-on CLs but it is not yet suitable for stable. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@180 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/CssTokens.java
wasp/html/StylingPolicy.java
|
4a4eface066ace45d8220fdaad0ab0cfd7c4cc29 |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fix typo in documentation git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@179 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
|
be666032a113a8af92bc557add8e83579cf0ef5c |
17-Jul-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
cleanup IDE warnings about methods that could be static git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@178 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlLexer.java
|
dce9ad7d3bd7d17abd3f707ba8cd381fa8a4d539 |
10-Jun-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
box model handling for styles git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@176 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/CssGrammar.java
wasp/html/StylingPolicy.java
|
783908cf042927b900d42383d30ec1fb8ee83d1f |
16-May-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed tag balancer so that implicit end tags are not generated for scope-introducing elements like tables and list items when a close tag ought to be restricted to an element within that scope git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@173 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
0ca1e3cb72745696510f7b23dc0998cc001b9c00 |
16-May-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
unused import git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@171 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
4c1e3417997042b0b485cbf71344a0210dfaba04 |
24-Apr-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
modify the HTML schema in TagBalancingHtmlStreamEventReceiver to make sure character data is allowed in option elemens git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@163 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
6ca215a0c4ddbbf4f6528df5d0e6ba2009d564cd |
27-Mar-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed minor bug in EbayPolicyExample which exposed a bug in requireRelNofFollowOnLinks that was half-heartedly allowing links git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@161 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
wasp/html/examples/EbayPolicyExample.java
|
489a0ec7301a86af8497d24748336db09ca278da |
26-Feb-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
upgraded to most recent version of findbugs git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@155 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/PolicyFactory.java
|
c517d7c6cadcd8643d565783464a2728be8c08d9 |
12-Feb-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
instead of creating <font> elements when sanitizing CSS, just do a better job of white-listing and sanitizing font faces, sizes, and alignment. This fixes problems whereby font elements were being introduced into tables but outside the table cells they were meant to style and which can legally contain them git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@147 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
|
0904bd6638ced4212ff03eccce948a1d4b6f0992 |
12-Feb-2013 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
commented out unused function git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@144 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
|
79b4c29af1261d95c663bdf0003b70cb0eb8000e |
21-Nov-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added methods to the policy builder to specify which elements are allowed to contain text. By default text is allowed in any allowed element that can contain normal flow or block content, but disallowed in CDATA elements like <iframe>. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@132 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
63dba946a9a0b3af438ca08b6824e653e5ca58c5 |
06-Nov-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added restrictions to the TagBalancingHtmlStreamEventReceiver so non-whitespace text nodes can only appear where phrasing content, flow content, or regular character data are allowed. This means that an <li> is added around "two" in <ul><li>one</li>two</ul>. changed to tag balancer to also recognize that </h3> and friends close any open header. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@122 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
1ecbdce5dd203e7aca2b93650ca3afce17dbc095 |
23-Oct-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fix issue 7: misnested lists. Changes tag balancer to insert block container elements when a block or flow content element is seen in a context where block and flow elements are disallowed. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@121 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
0df9131f7be5c0f90ce70d43b7e4239a6a6df016 |
22-Sep-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
changed rendering to ensure that the output HTML is always valid XML when the policy prohibits HTML raw text & RCDATA elements git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@114 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Encoding.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamRenderer.java
|
d687f1e3b48d511bc22f04c38931b9351846ac88 |
01-Aug-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added intrustion detection version of PolicyFactory.sanitize git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@112 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/PolicyFactory.java
|
68c898cc07aad9e4c616522afdd13a0cc4534117 |
01-Aug-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added convenience APIs for intrusion detection hooks git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@110 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlChangeListener.java
wasp/html/HtmlChangeReporter.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/PolicyFactory.java
|
6f2fc048ffc4ada68fabb389eb3f409229625b90 |
01-Aug-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added an interstitial layer that can report dropped tags and attributes to an intrusion detection system git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@109 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlChangeListener.java
wasp/html/HtmlChangeReporter.java
|
c9415e2bae5ddb7887d87a6e38a4d3074dfb320b |
11-May-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed typo in comment git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@106 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTokenType.java
|
d78e82dfc7da9c1e4ad8e4199bc375089a799c85 |
10-May-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Tweak lexer token grammar to handle XML prologues, processing instructions and HTML5 bogus comments properly. HTML5 transitions into a bogus comment state on seeing "<?" from a data state and ends at the first ">" or end of file token seen. XML Processing instructions and XML Prologues are both subsets of this production. This changes the lexer to use that grammar instead of ending at "?>" or end of file which handles comments that Outlook puts in HTML copied from an email. The lexer is not in the TCB so this change is low risk. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@104 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlLexer.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlTokenType.java
|
e7e78dd647a336268098d3438acc27ff4fcf0322 |
26-Mar-2012 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fix issue 5: protocol filtering failed to match the proper substring against the allowed protocol set. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@99 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/FilterUrlByProtocolAttributePolicy.java
|
b530bfd7496ead9ab962726781dd90b6c739cdce |
02-Nov-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Rework handling of raw-text elements to avoid browser confusion git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@87 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
|
1bfae835221847e7791625e2baa98a60eb3cfa8a |
26-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fix IE8 innerHTML issue git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@86 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/HtmlLexer.java
wasp/html/HtmlStreamRenderer.java
wasp/html/PolicyFactory.java
wasp/html/StylingPolicy.java
|
5b7822ad25b5ebd8bc2733b914215e6189a785cc |
19-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
reworked color handling in StylingPolicy to allow background and to only ever output #hex colors git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@83 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
40d8af71b50230379c385b3ad9aa36034a0761eb |
19-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
allow font sizes to be specified in pixels git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@82 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
d702e7e7fd237420e6b22b93a02ec5996c88d2ea |
19-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fixed initialization error in example and added test to make sure the examples run git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@81 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
4d17cd9ce55e109898d50a4e54f01838f3cb93dc |
19-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
adjusted document depth limit based on default from WebCore git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@80 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
|
3f54e49f2181c52ca40d99fbe738b2484ba91528 |
14-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fix issue 3: "Deeply nested elements crash FF 8, Chrome 11" by not emitting any tokens from TagBalancingHtmlStreamEventReceiver when the open element stack exceeds a nestingLimit. This limit is 128 based on some data on table nesting levels seen in the wild by Opera but I am continuing to look for info about the distribution of actual nesting depth for documents in the wild. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@79 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
6434d0d4455c4afb38b7c9c58c4ad844fb761a3f |
09-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
more javadoc fixes git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@74 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Sanitizers.java
|
d7c2f9f6c741b83b880ad878269d18ceb1af1d4a |
09-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
fixed javadoc git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@73 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Sanitizers.java
|
38bb37b955601261fd8945ee22aa09ac30d29298 |
09-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added Sanitizers class with prepackage policies, extracted the policy implementation from HtmlPolicyBuilder and extended it with convenience methods sanitize(String) and and(..) which allows composition of built policy factories. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@71 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/ElementAndAttributePolicies.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/PolicyFactory.java
wasp/html/Sanitizers.java
|
6691ce1a99dafc59640caa4a32dba505ceebe8ca |
09-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Updated list of void HTML elements git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@70 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlTextEscapingMode.java
|
f27efcbb0ed6810cb608024c6430338fe5f32bb7 |
09-Oct-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fixed bug: badHtmlHandler not receiving output when ioHandler is defanged git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@69 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
|
dc2e862837c475f690846ad4ffc56f7e262f587a |
16-Sep-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Tweaked whitespace git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@65 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
756bebfa2515fd06f4e1b2ba8102e40765d47a8c |
16-Sep-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Rework regular expressions in EbayPolicyExample to not capture unnecessary content, and to not backtrack on invalid inputs. Other minor fixes to spelling and . exclusion. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@64 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
f1c88874989dbe1ca93dcfa51be543138e00f0ae |
17-Aug-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Changed HtmlStreamRenderer to encode supplemental codepoints as HTML numeric entities to avoid UTF-16/UCS-2 confusion in the browser, and to avoid having Java UTF-8 encode individual surrogates instead of using the longer UTF-8 encoded forms. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@50 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
|
2c68185eb1bcaaeb0d1e5991b7795b1d2859b7ee |
10-Aug-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added new HTML5 URL attributes to the list of URL attributes that are guarded by the URL safeguards in HtmlPolicyBuilder. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@48 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
|
75d905c90100b9b05602b1878f847142e39836aa |
02-Aug-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Simplified null parameter handling in HtmlSanitizer.sanitize to present a consistently non-null html parameter to the whole function body. If html is null, the loop will be entered but there's no need to confuse the JIT with calls to substring on a value that's been checked for null earlier in the method. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@47 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
|
ee7fe14ffd97ab25e70f4403c56e5637f4239b9d |
02-Aug-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Changed HtmlSanitizer.sanitize to allow a null string of HTML as input. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@42 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlSanitizer.java
|
c4058d94a0e30de4532c65c0ec4a1ffd6d6ba26e |
19-Jun-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Commented example policies git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@41 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
wasp/html/examples/SlashdotPolicyExample.java
|
109b24565d3eb95a54ad9df8de2aa8c81bd32a24 |
08-Apr-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fleshed out styling policy with some of the most popular CSS properties from http://triin.net/2006/06/12/CSS git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@30 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
5a047cbf3149f42b3e3309b1785ed0dc05d21ad4 |
05-Apr-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added a fuzzer for the HTML sanitizer and fixed a bug it exposed in numeric entity decoding. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@29 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
|
f06f9a5ed2a3dfd88320a8ad14ae1c032c6a80cf |
05-Apr-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added a fuzzer test that checks that the parser is not in the TCB. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@28 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Handler.java
wasp/html/HtmlStreamRenderer.java
|
8560af5e2982092cb27cce62aa9cfa5bb45ea387 |
05-Apr-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Fixed CDATA rendering git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@27 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/Strings.java
|
846d5d0377617bd20ac271a486f07bfe757cc7a2 |
26-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
refactor HtmlPolicyBuilder so allowAttribute calls can be applied to multiple elements and so that element name and attribute names are supplied unambiguously in the order the name implies. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@26 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/examples/EbayPolicyExample.java
wasp/html/examples/SlashdotPolicyExample.java
|
b0d421ae1ad4fc51c126d40ec8ef153023f63454 |
23-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
tweaked git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@25 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
6f896a5158f6ca5af94e9e66c2ed75731bd655a3 |
23-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
EBay policy example derived from antisamy git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@24 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/examples/EbayPolicyExample.java
|
503b46e93244882d239e206a1feef2652838fa2b |
23-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added text-decoration support to styling policy git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@23 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/StylingPolicy.java
|
04fec67bccd1004fba68e662ba9709747aa65d30 |
11-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Added an example to mirror the AntiSamy slashdot use case git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@22 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/examples/SlashdotPolicyExample.java
|
27b4be957534ebb90e21ac8d31bf722e4c9273bf |
10-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Wrote a tag balancer that correctly handles containment relationships. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@20 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/TagBalancingHtmlStreamEventReceiver.java
|
6d8c2e9241d042a3e0bff40dac4c388966ad060c |
10-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
comment cleanup and added target to Makefile to run tests git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@18 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlTokenType.java
wasp/html/Trie.java
|
a35e496e40710c4561f2fc40c59e4b84cd1c5ec8 |
09-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
comments git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@13 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
|
2d52178a7565106586e4fd00e8f433e956859abe |
09-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
javadoc fixup git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@12 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlPolicyBuilder.java
|
8403881c365ab36b721ccc4500af1b3a5bd25870 |
09-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
added license headers and a license.txt file git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@10 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/CssGrammar.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlToken.java
wasp/html/HtmlTokenType.java
wasp/html/StandardUrlAttributePolicy.java
wasp/html/Strings.java
wasp/html/StylingPolicy.java
wasp/html/TCB.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java
|
4e867904c8295537803c1c8a076e130df5674b58 |
09-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Revamped to use a policy builder pattern instead of requiring people to write their own policies. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@9 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/AttributePolicy.java
wasp/html/CssGrammar.java
wasp/html/ElementAndAttributePolicies.java
wasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java
wasp/html/ElementPolicy.java
wasp/html/FilterUrlByProtocolAttributePolicy.java
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlPolicyBuilder.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlTokenType.java
wasp/html/ParseException.java
wasp/html/StandardUrlAttributePolicy.java
wasp/html/Strings.java
wasp/html/StylingPolicy.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java
|
0f3a7565157c70edb1935f04888fdc0407397fab |
02-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
test and Makefile cleanup git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@7 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlEntities.java
wasp/html/HtmlStreamRenderer.java
|
3a3d912deec6a8382422b602031d12fee7d4c73a |
02-Mar-2011 |
mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> |
Updated Makefile to build using the version 1.5 class file version and got rid of compiler warnings. git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@6 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/HtmlStreamRenderer.java
wasp/html/ParseException.java
|
5c702c12be71d8070da9287cc4a044617dd726a7 |
01-Mar-2011 |
manico.james@gmail.com <manico.james@gmail.com@ad8eed46-c659-4a31-e19d-951d88f54425> |
Mike Samuels donation to OWASP git-svn-id: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk@2 ad8eed46-c659-4a31-e19d-951d88f54425
wasp/html/Handler.java
wasp/html/HtmlEntities.java
wasp/html/HtmlLexer.java
wasp/html/HtmlSanitizer.java
wasp/html/HtmlStreamEventReceiver.java
wasp/html/HtmlStreamRenderer.java
wasp/html/HtmlTextEscapingMode.java
wasp/html/HtmlToken.java
wasp/html/HtmlTokenType.java
wasp/html/ParseException.java
wasp/html/Strings.java
wasp/html/TCB.java
wasp/html/TagBalancingHtmlStreamEventReceiver.java
wasp/html/TokenStream.java
wasp/html/Trie.java
wasp/html/package-info.java
|