Releases: OWASP/java-html-sanitizer
Release 20240325.1
- Remove dependency on Guava
- Raise minimum supported JVM release to 8
- HTML: Avoid duplicate link
rel
values. - HTML: Recognize foreign content syntactic context:
mathml
/svg
. - CSS: Better support for
font-size
,overflow-wrap
,word-break
. - CSS: Better child combinator parsing.
- Bug: Fixed out of bounds when mixing global style attribute with others.
- Special thanks to (in lexicographic order):
Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk
Release 20220608.1
Release 20220608.1
- Fix bugs in CSS tokenization
- Fix deocding of HTML character references that lack semicolons
like¶
in HTML attribute values that affected
URL query parameters.
v20211018.2
Changes how we avoid problems with special tags inside <select>
elements. Instead of complicating the rendering of <style>
elements in all cases, now we just close special elements when they are embedded in <select>
elements so no text under a <select>
is interpreted as anything other than PCDATA.
This is a follow on to https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit#heading=h.ff1sdefzjxrx and we recommend using it over v20211018.1.
20211018.1
This release fixes a vulnerability as tracked by CVE-2021-42575
See https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit# for details.
For a full list of known vulnerabilities see https://github.com/OWASP/java-html-sanitizer/blob/main/docs/vulnerabilities.md
20200713.1
Improves SVG and MathML support.
Now policies don't lower-case element and attribute names that are defined in either the SVG or MathML schemas.
Be aware that SVG's <textArea>
is now distinct from HTML's <textarea>
.
20190610.1
- Recognize HTML entity names added in the last few years. Now
&name;
will work consistently.
19 Feb 2018
- Strip ZWNJ from MacOS and iOS crashing text sequences