Merge branch 'main' into cssschema-withProperties

Author: mikesamuel

.gitattributes

@@ -0,0 +1,13 @@
+/COPYING text
+/src/test/resources/org/owasp/html/* text eol=lf
+.gitattributes text
+.gitignore text
+*.html text
+*.java text
+*.js text
+*.json text
+*.md text
+*.sh text
+*.txt text
+*.xml text
+*.yml text

.github/workflows/maven.yml

@@ -0,0 +1,43 @@
+# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
+
+name: Java CI with Maven
+
+on:
+  push:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/maven.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/maven.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        java: [ '11', '17', '21' ]
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up JDK ${{ matrix.Java }}
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ matrix.Java }}
+        distribution: 'temurin'
+        cache: maven
+    - name: Build with Maven
+      run: mvn --batch-mode --errors --fail-at-end --show-version --update-snapshots verify
+    - name: Store artifact
+      if: ${{ matrix.Java == 11 }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: jar-jdk${{ matrix.Java }}
+        path: target/*.jar
+        retention-days: 7

README.md

@@ -7,7 +7,7 @@ A fast and easy to configure HTML Sanitizer written in Java which lets
 you include HTML authored by third-parties in your web application while
 protecting against XSS.
 
-The existing dependencies are on guava and JSR 305.  The other jars
+The existing dependency is on JSR 305. The other jars
 are only needed by the test suite.  The JSR 305 dependency is a
 compile-only dependency, only needed for annotations.
 

RELEASE-checklist.sh

@@ -8,7 +8,6 @@ set -e
 
 
 # Make sure the build is ok via
-mvn -Dguava.version=27.0-jre -f aggregate clean verify                    javadoc:jar source:jar
 mvn                          -f aggregate clean verify jacoco:report site javadoc:jar source:jar
 mvn install
 mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f aggregate

docs/getting_started.md

@@ -4,12 +4,11 @@
 
 If you are using Maven then follow the [maven](maven.md) directions to
 add a dependency.  Otherwise,
-[download prebuilt jars](https://search.maven.org/#artifactdetails%7Ccom.googlecode.owasp-java-html-sanitizer%7Cowasp-java-html-sanitizer%7C20180219.1%7Cjar)
+[download prebuilt jars](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/)
 or `git clone git@github.com:OWASP/java-html-sanitizer.git` and build
 the latest source.
 
-Unless maven is managing your CLASSPATH for you, you need to add both `owasp-java-html-sanitizer.jar` and the
-Guava JAR.
+Unless maven is managing your CLASSPATH for you, you need to add `owasp-java-html-sanitizer.jar`.
 
 Once you have your CLASSPATH set up correctly with the relevant JARs
 you should be able to add

parent/pom.xml

@@ -257,7 +257,7 @@ application while protecting against XSS.
       <dependency>
         <groupId>com.google.protobuf</groupId>
         <artifactId>protobuf-java</artifactId>
-        <version>3.9.1</version>
+        <version>3.16.3</version>
         <scope>provided</scope>
       </dependency>
       <dependency>

src/main/java/org/owasp/html/HtmlPolicyBuilder.java

@@ -32,7 +32,6 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
-import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -965,12 +964,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if(attributeNames.get(0).equals("style")) {
-        return allowStyling();
-      } else {
-        return HtmlPolicyBuilder.this.allowAttributesGlobally(
-            policy, attributeNames);
+      if (attributeNames.contains("style")) {
+        allowStyling();
       }
+      return HtmlPolicyBuilder.this.allowAttributesGlobally(
+          policy, attributeNames);
     }
 
     /**

src/main/java/org/owasp/html/AllExamples.java renamed to src/test/java/org/owasp/html/AllExamples.java

@@ -55,6 +55,9 @@ public static final void testDangerousProperties() {
           // Prefix corner cases.
           "-",
           "-moz-",
+          "-ms-",
+          "-o-",
+          "-webkit-",
         }) {
       assertSame(key, CssSchema.DISALLOWED, CssSchema.DEFAULT.forKey(key));
     }

src/test/java/org/owasp/html/CssSchemaTest.java

@@ -232,7 +232,28 @@ public static final void testStyleFiltering() {
   }
 
   @Test
-  public void testCustomPropertyStyleFilterung() {
+  public void testSpecificStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align", "font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
+
+  @Test
+  public void testCustomPropertyStyleFiltering() {
     assertEquals(
         Arrays.stream(new String[] {
             "<h1>Header</h1>",
@@ -256,7 +277,29 @@ public void testCustomPropertyStyleFilterung() {
   }
 
   @Test
-  public void testCustomPropertyStyleFilterungDisallowed() {
+  public void testUnionStyleFiltering() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align")))
+              .allowStyling( // union allowed style properties
+                   CssSchema.withProperties(List.of("font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
+  @Test
+  public void testCustomPropertyStyleFilteringDisallowed() {
     assertEquals(
         Arrays.stream(new String[] {
             "<h1>Header</h1>",
@@ -339,6 +382,25 @@ public static final void testAllowUrlProtocols() {
             .allowUrlProtocols("http")));
   }
 
+  @Test
+  public static final void testDisallowUrlProtocols() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "Header",
+            "Paragraph 1",
+            "Click me out",
+            "<img src=\"canary.png\" alt=\"local-canary\" />",
+            "Fancy with soupy tags.",
+            "Stylish Para 1",
+            "Stylish Para 2",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+            .allowElements("img")
+            .allowAttributes("src", "alt").onElements("img")
+            .allowUrlProtocols("http", "https")
+            .disallowUrlProtocols("http")));
+  }
+
   @Test
   public static final void testPossibleFalloutFromIssue5() {
     assertEquals(
@@ -897,6 +959,52 @@ public static final void testEmptyDefaultLinkRelsSet() {
         pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
   }
 
+  @Test
+  public static final void testRequireAndSkipRels() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href", "target").onElements("a")
+        .allowStandardUrlProtocols()
+        .requireRelsOnLinks("noreferrer")
+        .skipRelsOnLinks("noopener", "noreferrer")
+        .toFactory();
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noreferrer target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noopener target=\"_blank\">eg</a>"));
+  }
+
+  @Test
+  public static final void testSkipAndRequireRels() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href", "target").onElements("a")
+        .allowStandardUrlProtocols()
+        .skipRelsOnLinks("noopener", "noreferrer")
+        .requireRelsOnLinks("noreferrer")
+        .toFactory();
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noreferrer target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noopener target=\"_blank\">eg</a>"));
+  }
+
   @Test
   public static final void testExplicitRelsSkip() {
     PolicyFactory pf = new HtmlPolicyBuilder()
@@ -963,6 +1071,64 @@ public static final void testDirLi() {
             "<dir compact=\"compact\"><li>something</li></dir>"));
   }
 
+  @Test
+  public void testDisallowTextIn() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div")
+        .allowAttributes("style").onElements("div");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals("<div style=\"display:node\">Some Text</div>",
+        allowPolicy.sanitize("<div style=\"display:node\">Some Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowTextIn("div").toFactory();
+    assertEquals("<div style=\"display:node\"></div>",
+        disallowTextPolicy.sanitize(
+            "<div style=\"display:node\">Some Text</div>"));
+  }
+
+  @Test
+  public void testDisallowAttribute() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div", "p")
+        .allowAttributes("style").onElements("div", "p");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals(
+        "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>",
+            allowPolicy.sanitize(
+                "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowAttributes("style").onElements("p").toFactory();
+    assertEquals("<p>Some</p><div style=\"display:node\">Text</div>",
+        disallowTextPolicy.sanitize(
+            "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+  }
+
+  @Test
+  public void testCreativeCSSStyling() {
+    PolicyFactory policy = new HtmlPolicyBuilder()
+        .allowElements("p")
+        .allowAttributes("style").onElements("p").allowStyling().toFactory();
+
+    assertEquals("<p>Some</p>",
+            policy.sanitize("<p style=\"{display:none\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;};color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;}color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"display:none }; color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;}}color:red\">Some</p>"));
+  }
+
   @Test
   public static void testScriptTagWithCommentBlockContainingHtmlCommentEnd() {
     PolicyFactory scriptSanitizer = new HtmlPolicyBuilder()
@@ -1057,6 +1223,12 @@ public static final void testTextareaIsNotTextArea() {
     assertEquals("x<textArea>y</textArea>", textAreaPolicy.sanitize(input));
   }
 
+  @Test
+  public static final void testHtmlPolicyBuilderDefinitionWithNoAttributesDefinedGlobally() {
+    // Does not crash with a runtime exception
+    new HtmlPolicyBuilder().allowElements().allowAttributes().globally().toFactory();
+  }
+
   @Test
   public static final void testCSSFontSize() {
 	 HtmlPolicyBuilder builder = new HtmlPolicyBuilder();