Merge pull request #74 from nahsra/1.6.1

1.6.1

README.md

@@ -48,7 +48,9 @@ we recognize that it might not be possible for developers to fix their AntiSamy
 
 2) Change the code using AntiSamy to invoke: Policy.setSchemaValidation(false) before loading the AntiSamy policy. This is a static call so once disabled, it is disabled for all new Policy instances.
 
-To encourage AntiSamy users to only use XSD compliant policies, AntiSamy will always issue some type of warning when schema validation is disabled. It will either WARN that the policy is non-compliant so it can be fixed, or it will WARN that the policy is compliant, but schema validation is OFF, so validation should be turned back on (i.e., stop disabling it).
+To encourage AntiSamy users to only use XSD compliant policies, AntiSamy will always log some type of warning when schema validation is disabled. It will either WARN that the policy is non-compliant so it can be fixed, or it will WARN that the policy is compliant, but schema validation is OFF, so validation should be turned back on (i.e., stop disabling it). We also added INFO level logging when AntiSamy schema's are loaded and validated.
+
+### Logging: The logging introduced in 1.6.0 accidentally used log4j, while declaring slf4 as the logging API. This was quickly fixed in 1.6.1 to use slf4j APIs only. AntiSamy now includes the slf4j-simple library for its logging, but AntiSamy users can import and use an alternate slf4j compatible logging library if they prefer. They can also then exclude slf4j-simple if they want to.
 
 ### 3. Tailoring the policy file
 You may want to deploy AntiSamy in a default configuration, but it’s equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

pom.xml

@@ -3,7 +3,7 @@
     <groupId>org.owasp.antisamy</groupId>
     <artifactId>antisamy</artifactId>
     <packaging>jar</packaging>
-    <version>1.6.0</version>
+    <version>1.6.1</version>
     <distributionManagement>
         <snapshotRepository>
             <id>ossrh</id>
@@ -42,8 +42,9 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.build.outputTimestamp>2021-05-03T17:04:00Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2021-09-03T03:15:00Z</project.build.outputTimestamp>
         <gpg.skip>true</gpg.skip><!-- by default skip gpg -->
+        <version.slf4j>1.7.30</version.slf4j>
         <version.spotbugs.maven>4.2.0</version.spotbugs.maven>
         <version.spotbugs>4.2.2</version.spotbugs>
     </properties>
@@ -80,26 +81,22 @@
             <artifactId>httpclient</artifactId>
             <version>4.5.13</version>
             <exclusions>
-                <!-- exclude this as httpclient uses an older commons-codec and we want to eliminate the convergence mismatch -->
+                <!-- exclude these as httpclient uses older versions of these libraries that we directly import and we want to eliminate the convergence mismatch -->
                 <exclusion>
                     <groupId>commons-codec</groupId>
                     <artifactId>commons-codec</artifactId>
                 </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-slf4j-impl</artifactId>
-            <!-- 2.12.1 is the last release that supports Java 7, so we can't upgrade to newer versions. -->
-            <version>2.12.1</version>
-            <exclusions>
-                <!-- exclude this as we've imported a newer version directly and want to eliminate the convergence mismatch -->
                 <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
+                   <groupId>org.apache.httpcomponents</groupId>
+                   <artifactId>httpcore</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore</artifactId>
+            <version>4.4.14</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
             <artifactId>batik-css</artifactId>
@@ -115,7 +112,12 @@
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.30</version>
+            <version>${version.slf4j}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>${version.slf4j}</version>
         </dependency>
         <!-- While Java 7+ includes Xerces in the JRE, it apparently doesn't provide all the features we use
              that are in the Apache version. So we import it directly. -->
@@ -130,6 +132,11 @@
             <!-- Note that there is a 2.0.2 version of this, but it is actually much older than 1.4.01. -->
             <version>1.4.01</version>
         </dependency>
+        <dependency>
+            <groupId>xml-apis</groupId>
+            <artifactId>xml-apis-ext</artifactId>
+            <version>1.3.04</version>
+        </dependency>
 
         <!-- SpotBugs dependencies -->
         <dependency>
@@ -138,12 +145,6 @@
             <version>${version.spotbugs}</version>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>net.jcip</groupId>
-            <artifactId>jcip-annotations</artifactId>
-            <version>1.0</version>
-            <optional>true</optional>
-        </dependency>
 
         <!-- Test dependencies -->
         <dependency>
@@ -152,6 +153,12 @@
             <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+          <groupId>org.hamcrest</groupId>
+          <artifactId>hamcrest-core</artifactId>
+          <version>1.3</version>
+          <scope>test</scope>
+        </dependency>
 
     </dependencies>
 

src/main/java/org/owasp/validator/html/Policy.java

@@ -52,16 +52,15 @@
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 
-import org.apache.logging.log4j.Logger;
-import org.apache.logging.log4j.LogManager;
-
 import org.owasp.validator.html.model.AntiSamyPattern;
 import org.owasp.validator.html.model.Attribute;
 import org.owasp.validator.html.model.Property;
 import org.owasp.validator.html.model.Tag;
 import org.owasp.validator.html.scan.Constants;
 import org.owasp.validator.html.util.URIUtils;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -80,7 +79,7 @@
 
 public class Policy {
 
-    private static final Logger logger = LogManager.getLogger(Policy.class);
+    private static final Logger logger = LoggerFactory.getLogger(Policy.class);
 
     public static final Pattern ANYTHING_REGEXP = Pattern.compile(".*", Pattern.DOTALL);
 
@@ -229,7 +228,7 @@ public static Policy getInstance(String filename) throws PolicyException {
      * @throws PolicyException If there is a problem parsing the input stream.
      */
     public static Policy getInstance(InputStream inputStream) throws PolicyException {
-        final String logMsg = "Attempting to load policy from an input stream.";
+        final String logMsg = "Attempting to load AntiSamy policy from an input stream.";
         // If schema validation is disabled, we elevate this msg to the warn level to match the
         // level of the mandatory warning that will follow. We do the same below.
         if (validateSchema) logger.info(logMsg); else logger.warn(logMsg);
@@ -263,7 +262,7 @@ public static Policy getInstance(File file) throws PolicyException {
      * @throws PolicyException If the file is not found or there is a problem parsing the file.
      */
     public static Policy getInstance(URL url) throws PolicyException {
-        String logMsg = "Attempting to load policy from URL: " + url.toString();
+        String logMsg = "Attempting to load AntiSamy policy from URL: " + url.toString();
         if (validateSchema) logger.info(logMsg); else logger.warn(logMsg);
         return new InternalPolicy(url, getParseContext(getTopLevelElement(url), url));
     }
@@ -374,7 +373,7 @@ protected static Element getTopLevelElement(InputSource source, Callable<InputSo
                     source = getResetSource.call();
                     Element theElement = getDocumentElementFromSource(source, false);
                     // We warn when the policy has an invalid schema, but schema validation is disabled.
-                    logger.warn("Invalid policy file: " + e.getMessage());
+                    logger.warn("Invalid AntiSamy policy file: " + e.getMessage());
                     return theElement;
                 } catch (Exception e2) {
                     throw new PolicyException(e2);
@@ -386,7 +385,7 @@ protected static Element getTopLevelElement(InputSource source, Callable<InputSo
         } finally {
             if (!validateSchema && (thrownException == null)) {
                 // We warn when the policy has a valid schema, but schema validation is disabled.
-                logger.warn("XML schema validation is disabled for a valid policy. Please reenable policy validation.");
+                logger.warn("XML schema validation is disabled for a valid AntiSamy policy. Please reenable policy validation.");
             }
         }
     }
@@ -452,7 +451,7 @@ private static Element getPolicy(String href, URL baseUrl) throws PolicyExceptio
                 try {
                     Element theElement = getDocumentElementByUrl(href, baseUrl, false);
                     // We warn when the policy has an invalid schema, but schema validation is disabled.
-                    logger.warn("Invalid policy file: " + e.getMessage());
+                    logger.warn("Invalid AntiSamy policy file: " + e.getMessage());
                     return theElement;
                 } catch (SAXException | ParserConfigurationException | IOException e2) {
                     throw new PolicyException(e2);
@@ -466,7 +465,7 @@ private static Element getPolicy(String href, URL baseUrl) throws PolicyExceptio
         } finally {
             if (!validateSchema && (thrownException == null)) {
                 // We warn when the policy has a valid schema, but schema validation is disabled.
-                logger.warn("XML schema validation is disabled for a valid policy. Please reenable policy validation.");
+                logger.warn("XML schema validation is disabled for a valid AntiSamy policy. Please reenable policy validation.");
             }
         }
     }
@@ -492,7 +491,7 @@ private static Element getDocumentElementByUrl(String href, URL baseUrl, boolean
 
             try {
                 url = new URL(baseUrl, href);
-                final String logMsg = "Attempting to load policy from URL: " + url.toString();
+                final String logMsg = "Attempting to load AntiSamy policy from URL: " + url.toString();
                 if (validateSchema) logger.info(logMsg); else logger.warn(logMsg);
                 source = new InputSource(url.openStream());
                 source.setSystemId(href);