Address github issue #62.

Author: davewichers

pom.xml

@@ -3,7 +3,7 @@
     <groupId>org.owasp.antisamy</groupId>
     <artifactId>antisamy</artifactId>
     <packaging>jar</packaging>
-    <version>1.5.12</version>
+    <version>1.5.13</version>
 
     <distributionManagement>
         <snapshotRepository>

src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2020, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2021, Arshan Dabirsiaghi, Jason Li
  *
  * All rights reserved.
  *
@@ -38,7 +38,16 @@
 import org.owasp.validator.html.model.Tag;
 import org.owasp.validator.html.util.ErrorMessageUtil;
 import org.owasp.validator.html.util.HTMLEntityEncoder;
-import org.w3c.dom.*;
+import org.w3c.dom.Comment;
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Document;
+import org.w3c.dom.DocumentFragment;
+import org.w3c.dom.Element;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.w3c.dom.ProcessingInstruction;
+import org.w3c.dom.Text;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
@@ -47,7 +56,8 @@
 import java.io.IOException;
 import java.io.StringReader;
 import java.io.StringWriter;
-import java.util.*;
+import java.util.List;
+import java.util.Queue;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ConcurrentLinkedQueue;
 import java.util.regex.Matcher;
@@ -620,7 +630,6 @@ private void processChildren(NodeList childNodes, int currentStackDepth ) throws
     private void removePI(Node node) {
         addError(ErrorMessageUtil.ERROR_PI_FOUND, new Object[]{HTMLEntityEncoder.htmlEntityEncode(node.getTextContent())});
         removeNode(node);
-        node.getParentNode().removeChild(node);
     }
 
     private void stripCData(Node node) {

src/test/java/org/owasp/validator/html/test/AntiSamyTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2020, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2021, Arshan Dabirsiaghi, Jason Li
  * 
  * All rights reserved.
  * 
@@ -35,6 +35,7 @@
 import static org.junit.Assert.fail;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.MatcherAssert.assertThat;
 
@@ -62,7 +63,6 @@
 import org.owasp.validator.html.model.Attribute;
 import org.owasp.validator.html.model.Tag;
 
-
 /**
  * This class tests AntiSamy functionality and the basic policy file which
  * should be immune to XSS and CSS phishing attacks.
@@ -1454,4 +1454,29 @@ public void testGithubIssue48() throws ScanException, PolicyException {
         assertThat(as.scan(danglingMarkup2, policy, AntiSamy.SAX).getCleanHTML(), not(containsString("//evilactor.com/")));
         assertThat(as.scan(danglingMarkup2, policy, AntiSamy.DOM).getCleanHTML(), not(containsString("//evilactor.com/")));
     }
+
+ @Test
+    public void testGithubIssue62() {
+        // Concern is that when a processing instruction is at the root level, node removal gets messy and Null pointer exception arises.
+        // More test cases are added for PI removal.
+
+        try{
+            assertThat(as.scan("|<?ai aaa", policy, AntiSamy.DOM).getCleanHTML(), is("|"));
+            assertThat(as.scan("|<?ai aaa", policy, AntiSamy.SAX).getCleanHTML(), is("|"));
+
+            assertThat(as.scan("<div>|<?ai aaa", policy, AntiSamy.DOM).getCleanHTML(), is("<div>|</div>"));
+            assertThat(as.scan("<div>|<?ai aaa", policy, AntiSamy.SAX).getCleanHTML(), is("<div>|</div>"));
+
+            assertThat(as.scan("<div><?foo note=\"I am XML processing instruction. I wish to be excluded\" ?></div>", policy, AntiSamy.DOM)
+                    .getCleanHTML(), not(containsString("<?foo")));
+            assertThat(as.scan("<div><?foo note=\"I am XML processing instruction. I wish to be excluded\" ?></div>", policy, AntiSamy.SAX)
+                    .getCleanHTML(), not(containsString("<?foo")));
+
+            assertThat(as.scan("<?xml-stylesheet type=\"text/css\" href=\"style.css\"?>", policy, AntiSamy.DOM).getCleanHTML(), is(""));
+            assertThat(as.scan("<?xml-stylesheet type=\"text/css\" href=\"style.css\"?>", policy, AntiSamy.SAX).getCleanHTML(), is(""));
+
+        } catch (Exception exc) {
+            fail(exc.getMessage());
+        }
+    }
 }