Release version 1.6.6.1

The 1.6.6.1 release corrects a minor issue in the 1.6.6 release:

We accidentally upgraded the byte code generated for antisamy.jar to be Java 8, when it can still be Java 7. So this release generates a Java 7 jar file instead. This allows Java 7 projects to use AntiSamy 1.6.6.1 by doing the following:

Exclude the 2 Java 8 dependencies we currently use:

• commons-o:commons-io:2.11.0
• net.sourceforge.htmlunit:neko-htmlunit:2.60.0

You then import and use the last Java 7 versions of these libraries:

• commons-io:commons-io:2.6
• net.sourceforge.htmlunit:neko-htmlunit:2.24

A few plugins were upgraded and some were added but none of the dependencies were changed.

---

The previous 1.6.6 release addressed the following issues:

1. This release fixes 3 security issues reported by researcher Hyeongkwan Lee

CVEs for these have not been created yet, so we are not providing any details on the issues at this time.

2. Enhancement #147: Add require-closing-tags to default AntiSamy policy file

3. Bug #151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE_XHTML = "useXHTML";
The method: InternalPolicy.isXhtml()
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

Release version 1.6.6

This release addresses the following issues:

1. This release fixes 2 security issues reported by researcher Hyeong Gwan, Yi

CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. https://www.cvedetails.com/cve/CVE-2022-28367. NOTE: This release only included a PARTIAL fix. It's completely fixed in the 1.6.7 release.

AntiSamy prior to 1.6.6 used the old CyberNeko HTML library v1.9.22, which is subject to https://www.cvedetails.com/cve/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko called HtmlUnit-Neko which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to version 2.60.0 of HtmlUnit-Neko.

2. Enhancement #147: Add require-closing-tags to default AntiSamy policy file

3. Bug #151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE_XHTML = "useXHTML";
The method: InternalPolicy.isXhtml()
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

Release version 1.6.5

This release addresses the following issues:

1. Enhancement #89: Add rel="noopener" to anchor if target="_blank" is set

We have added a new policy directive 'noopenerAndNoreferrerAnchors' which, if set, will add 'noopener noreferrer' to anchor tags if target="_blank" in an HREF to reduce the risk of https://owasp.org/www-community/attacks/Reverse_Tabnabbing attacks. This is similar to adding 'nofollow' in the same situation which is already done by default. Currently, 'noopener' and 'noreferrer' are not added by default, but have to be enabled in the AntiSamy policy file. Future versions of AntiSamy may make this the default behavior, to match how 'nofollow' is added automatically.

2. Bug #103: AntiSamy 1.6.4 doesn't play nicely with xalan-j 2.7.2

In 1.6.4, changes were made to disable some external entity features in the use of an XML TransformerFactory to reduce the risk of XXE if an attacker were able to modify a developer provided AntiSamy XML policy file. As it turns out, the use of Java's TransformerFactory.newTransformer() is problematic because if an AntiSamy library user has another Xalan Transformer on their classpath, that class will be returned by the invocation of this method, instead of the JDK provided version, and that Transformer might not support the JAXP 1.5 security features we are invoking. As such, to fix this, we now force the instantiation of the JDK provided Xalan XML Transformer com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl which does support these JAXP 1.5 security features and is available in all versions of the JDK we tested from Java 7 through Java 19.

By fixing it this way, we don't affect the external applications use of any other Xalan parsers they might be using. We are just defaulting AntiSamy's use of the Xalan parser to the JDK provided one (com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl).

However, we determined that some AntiSamy users might not want to use this JDK provided Xalan TransformerFactoryImpl. As such, we also added a Java system property called: "antisamy.transformerfactory.impl", which can be used to override this default with a different TransformerFactoryImpl of your choosing.

3. Minor Bug #113: Imported styles are in the wrong order regarding non-imported styles

This issue was fixed in this release. See the issue ticket for more details.

4. Minor Bug #125: Enhanced antisamy.xml to support css-styles that start with a '-'

This issue was fixed in this release. See the issue ticket for more details.

NOTE: 1.7.0 release coming soon. Will drop Java 7 support and deprecated features/APIs, as follows:

1 ) We expect 1.6.5 to be the last release that supports Java 7. The next release is expected to be 1.7.0, which will require Java 8.
2) The 1.7.0 release will also drop support for two things that were deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) This 1.6.5 release actually changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

We plan to remove these newly Deprecated APIs in the 1.7.0 release.

Release version 1.6.4

This release addresses issue #87, which also fixes CVE-2021-35043.

Thanks to Zachary Sims for responsibly disclosing the issue.

Release version 1.6.3

This release addresses issue #80 by allowing jar: URLs for loading policy files stored inside of JARs. It also adds support for !important CSS tags as described in issue #81. SBOM files are also now produced and included with the release.

Release version 1.6.2

This release fixes bug #75 reported by the OWASP ESAPI team, and adds some new JavaDoc to the Policy.java class describing the major changes to AntiSamy in the 1.6+ release.

Release version 1.6.1

The 1.6.0 release erroneously listed slf4j as the logging API, but then directly used log4j. This release eliminates the use of log4j entirely, using slf4j. The 1.6.1 release includes the slf4j-simple logging library, but AntiSamy users can exclude this library and use whatever slf4j logging library they prefer. Please read the README for more details.

Release version 1.6.0

This release includes a few minor bug fixes and all available upgrades to the libraries and plugins used by the project, including a few upgrades that eliminate known CVEs in those libraries.

The one major change in this release is that AntiSamy XSD schema validation is now enabled by default starting with AntiSamy 1.6.0.

While working on some improvements to AntiSamy's XML Schema Definition (XSD) for AntiSamy policy files, we noticed that AntiSamy was NOT actually enforcing the XSD. So, we've CHANGED the default behavior starting with AntiSamy 1.6.0 to enforce the schema, and not continue if the AntiSamy policy is invalid. However ... we recognize that it might not be possible for developers to fix their AntiSamy policies right away if they are non-compliant, and yet still want to upgrade AntiSamy to pick up any security improvements, feature enhancements, and bug fixes. As such, we've provided two ways to (temporarily!) disable schema validation.

Please read the section "### NOTE: Schema validation behavior change starting with AntiSamy 1.6.0" in the README for details on how to (temporarily) disable schema validation for AntiSamy if your project needs to do so.

Release version 1.5.13

This release addresses AntiSamy issue #62, which caused a NullPointerException in AntiSamyDOMScanner.java for certain input.

Release version 1.5.12

This release upgrades the Xerces dependency to 2.12.1 to eliminate the known vulnerability in Xerces 2.12.0 (CVE-2020-14338). While this CVE does not affect AntiSamy given how AntiSamy uses Xerces, we produced this point release to eliminate the known vulnerability in this dependency anyway to eliminate this CVE showing up on dependency tree scanners.