Merge pull request #35 from nahsra/1.5.8

1.5.8 release merge

README.md

@@ -5,15 +5,20 @@ A library for performing fast, configurable cleansing of HTML coming from untrus
 
 Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., 
 that get persisted on the server. The term "malicious code" in regards to web applications usually mean "JavaScript." Mostly, Cascading Stylesheets are only considered malicious 
-when they invoke the JavaScript. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.
+when they invoke JavaScript. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.
 
-How to Use
-----------
+More details on antisamy are available at: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project. Particularly at: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#tab=How_do_I_get_started_3F.
+
+There is also a legacy developers guide at: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owaspantisamy/Developer%20Guide.pdf (not sure how long that will remain accessible).
+
+How to Import
+-------------
 First, add the dependency from Maven:
 ```xml
 <dependency>
    <groupId>org.owasp.antisamy</groupId>
-   <projectId>antisamy</projectId>
+   <artifactId>antisamy</artifactId>
+   <version>LATEST_VERSION</version>
 </dependency>
 ```
 

pom.xml

@@ -3,7 +3,7 @@
     <groupId>org.owasp.antisamy</groupId>
     <artifactId>antisamy</artifactId>
     <packaging>jar</packaging>
-    <version>1.5.7</version>
+    <version>1.5.8</version>
 
     <distributionManagement>
         <snapshotRepository>
@@ -35,11 +35,16 @@
       </license>
     </licenses>
 
-     <scm>
+    <scm>
         <connection>scm:git:[email protected]:nahsra/antisamy.git</connection>
         <url>scm:git:[email protected]:nahsra/antisamy.git</url>
         <developerConnection>scm:git:[email protected]:nahsra/antisamy.git</developerConnection>
-    </scm>
+      <tag>antisamy-1.5.8</tag>
+  </scm>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
 
     <dependencies>
         <dependency>
@@ -50,55 +55,92 @@
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
             <artifactId>batik-css</artifactId>
-            <version>1.9.1</version>
+            <version>1.11</version>
+            <exclusions>
+                <!-- exclude this as batik-css 1.11 uses commons-logging 1.0.4 and we want to eliminate the convergence mismatch -->
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
-        <dependency>
+         <dependency>
             <groupId>net.sourceforge.nekohtml</groupId>
             <artifactId>nekohtml</artifactId>
             <version>1.9.22</version>
+            <exclusions>
+                <!-- exclude this as nekohtml 1.9.22 uses xercesImpl 2.11.0 and we want to eliminate the convergence mismatch -->
+                <exclusion>
+                    <groupId>xerces</groupId>
+                    <artifactId>xercesImpl</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <type>jar</type>
-            <scope>test</scope>
-            <version>4.12</version>
-        </dependency>
-        <dependency>
-		    <groupId>commons-codec</groupId>
-		    <artifactId>commons-codec</artifactId>
-		    <version>1.10</version>
-		    <scope>test</scope>
-		</dependency>
-		<dependency>
-		    <groupId>commons-io</groupId>
-		    <artifactId>commons-io</artifactId>
-		    <version>2.2</version>
-		    <scope>test</scope>
-		</dependency>
 		<dependency>
 		    <groupId>org.apache.httpcomponents</groupId>
 		    <artifactId>httpclient</artifactId>
-		    <version>4.3.6</version>
+		    <version>4.5.8</version>
+            <exclusions>
+                <!-- exclude this as httpclient 4.5.8 uses commons-codec 1.11 and we want to eliminate the convergence mismatch -->
+                <exclusion>
+                    <groupId>commons-codec</groupId>
+                    <artifactId>commons-codec</artifactId>
+                </exclusion>
+            </exclusions>
 		</dependency>
 		<dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-server</artifactId>
-            <version>7.6.14.v20131031</version>
-            <scope>test</scope>
-        </dependency>
+		    <groupId>xerces</groupId>
+		    <artifactId>xercesImpl</artifactId>
+		    <version>2.12.0</version>
+		</dependency>
+        <dependency>
+		    <groupId>commons-codec</groupId>
+		    <artifactId>commons-codec</artifactId>
+		    <version>1.12</version>
+		</dependency>
+
+        <!-- Test dependencies -->
         <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-servlet</artifactId>
-            <version>7.6.14.v20131031</version>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.12</version>
             <scope>test</scope>
         </dependency>
+
     </dependencies>
+
     <build>
+    	<pluginManagement>
+    	    <plugins>
+               <plugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-dependency-plugin</artifactId>
+                  <version>3.1.1</version>
+               </plugin>
+    	    </plugins>
+    	</pluginManagement>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-clean-plugin</artifactId>
+                <version>3.1.0</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.0</version>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                    <testSource>1.7</testSource>
+                    <testTarget>1.7</testTarget>
+                    <compilerArgument>-Xlint:unchecked</compilerArgument>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
+                <version>3.1.0</version>
                 <configuration>
                     <archive>
                         <manifest>
@@ -110,39 +152,94 @@
                     </archive>
                 </configuration>
             </plugin>
-               <plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-install-plugin</artifactId>
+                <version>2.5.2</version>
+            </plugin>
+            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
-               <artifactId>maven-gpg-plugin</artifactId>
+               <artifactId>maven-javadoc-plugin</artifactId>
+               <version>3.0.1</version>
                <executions>
                  <execution>
-                   <id>sign-artifacts</id>
-                   <phase>verify</phase>
-                   <goals>
-                     <goal>sign</goal>
-                   </goals>
+                   <id>attach-javadocs</id>
+                   <phase>package</phase>
+                   <goals><goal>jar</goal></goals>
                  </execution>
                </executions>
-             </plugin>
+            </plugin>
             <plugin>
-               <artifactId>maven-javadoc-plugin</artifactId>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.7.1</version>
+            </plugin>
+            <plugin>
+               <groupId>org.apache.maven.plugins</groupId>
+               <artifactId>maven-source-plugin</artifactId>
+               <version>3.0.1</version>
                <executions>
                  <execution>
-                   <id>attach-javadocs</id>
+                   <id>attach-sources</id>
                    <phase>package</phase>
-                   <goals><goal>jar</goal></goals>
+                   <goals><goal>jar-no-fork</goal></goals>
                  </execution>
                </executions>
-             </plugin>
+            </plugin>
             <plugin>
-            <artifactId>maven-source-plugin</artifactId>
-            <executions>
-              <execution>
-                <id>attach-sources</id>
-                <phase>package</phase>
-                <goals><goal>jar-no-fork</goal></goals>
-              </execution>
-            </executions>
-        </plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.22.1</version>
+            </plugin>
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+                <version>3.1.11</version>
+                <dependencies>
+                  <!-- overwrite dependency on spotbugs if you want to specify the version of spotbugs -->
+                  <dependency>
+                    <groupId>com.github.spotbugs</groupId>
+                    <artifactId>spotbugs</artifactId>
+                    <version>3.1.12</version>
+                  </dependency>
+                </dependencies>
+            </plugin>
         </plugins>
     </build>
+    <reporting>
+        <plugins>
+           <plugin>
+               <groupId>org.codehaus.mojo</groupId>
+               <artifactId>versions-maven-plugin</artifactId>
+               <version>2.5</version>
+               <reportSets>
+                 <reportSet>
+                   <reports>
+                     <report>dependency-updates-report</report>
+                     <report>plugin-updates-report</report>
+                   </reports>
+                 </reportSet>
+               </reportSets>
+           </plugin>
+           <plugin>
+               <groupId>org.apache.maven.plugins</groupId>
+               <artifactId>maven-project-info-reports-plugin</artifactId>
+               <version>3.0.0</version>
+               <reportSets>
+                 <reportSet>
+                   <reports>
+                     <report>dependency-convergence</report>
+                   </reports>
+                 </reportSet>
+               </reportSets>
+               <configuration>
+                 <dependencyLocationsEnabled>false</dependencyLocationsEnabled>
+               </configuration>
+           </plugin>
+           <plugin>
+               <groupId>com.github.spotbugs</groupId>
+               <artifactId>spotbugs-maven-plugin</artifactId>
+           </plugin>
+        </plugins>
+    </reporting>
 </project>

src/main/java/org/owasp/validator/css/CssHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2011, Arshan Dabirsiaghi, Jason Li
+ * Copyright (c) 2007-2019, Arshan Dabirsiaghi, Jason Li
  * 
  * All rights reserved.
  * 
@@ -58,7 +58,6 @@
  * 
  * @see javax.swing.text.html.StyleSheet
  * @author Jason Li
- * 
  */
 public class CssHandler implements DocumentHandler {
 
@@ -78,20 +77,19 @@ public class CssHandler implements DocumentHandler {
 	private final InternalPolicy policy;
 
 	/**
-	 * The encaspulated results including the error messages
+	 * The error messages
 	 */
-//	private final CleanResults results;
 	private final Collection<String> errorMessages;
 
 	/**
-	 * The error message bundled to pull from.
+	 * The error message bundle to pull from.
 	 */
 	private ResourceBundle messages;
 
 	/**
 	 * A queue of imported stylesheets; used to track imported stylesheets
 	 */
-	private final LinkedList importedStyleSheets;
+	private final LinkedList<URI> importedStyleSheets;
 
 	/**
 	 * The tag currently being examined (if any); used for inline stylesheet
@@ -119,8 +117,12 @@ public class CssHandler implements DocumentHandler {
 	 *            the policy to use
 	 * @param embeddedStyleSheets
 	 *            the queue of stylesheets imported
+	 * @param errorMessages
+	 *            the List of error messages to use if there are errors
+	 * @param messages
+	 *            the error message bundle to pull from
 	 */
-	public CssHandler(Policy policy, LinkedList embeddedStyleSheets,
+	public CssHandler(Policy policy, LinkedList<URI> embeddedStyleSheets,
 		List<String> errorMessages, ResourceBundle messages) {
 		this(policy, embeddedStyleSheets, errorMessages, null, messages);
 	}
@@ -133,10 +135,14 @@ public CssHandler(Policy policy, LinkedList embeddedStyleSheets,
 	 *            the policy to use
 	 * @param embeddedStyleSheets
 	 *            the queue of stylesheets imported
+	 * @param errorMessages
+	 *            the List of error messages to use if there are errors
 	 * @param tagName
 	 *            the associated tag name with this inline style
+	 * @param messages
+	 *            the error message bundle to pull from
 	 */
-	public CssHandler(Policy policy, LinkedList embeddedStyleSheets,
+	public CssHandler(Policy policy, LinkedList<URI> embeddedStyleSheets,
 			List<String> errorMessages, String tagName, ResourceBundle messages) {
 		this.policy = (InternalPolicy) policy;
 		this.errorMessages = errorMessages;
@@ -150,7 +156,7 @@ public CssHandler(Policy policy, LinkedList embeddedStyleSheets,
 	/**
 	 * Returns the cleaned stylesheet.
 	 * 
-	 * @return the cleaned styesheet
+	 * @return the cleaned stylesheet.
 	 */
 	public String getCleanStylesheet() {
 		// Always ensure results contain most recent generation of stylesheet
@@ -161,8 +167,8 @@ public String getCleanStylesheet() {
 	 * Returns the error messages generated during parsing.
 	 * @return the error messages generated during parsing
 	 */
-	public Collection getErrorMessages() {
-	    return new ArrayList(errorMessages);
+	public Collection<String> getErrorMessages() {
+	    return new ArrayList<String>(errorMessages);
 	}
 
 	/*
@@ -202,7 +208,6 @@ public void ignorableAtRule(String atRule) throws CSSException {
 					HTMLEntityEncoder.htmlEntityEncode(atRule)
 				}));		    
 		}
-
 	}
 
 	/*
@@ -228,7 +233,7 @@ public void importStyle(String uri, SACMediaList media,
 			    errorMessages.add(ErrorMessageUtil.getMessage(
 						messages,
 					ErrorMessageUtil.ERROR_CSS_IMPORT_URL_INVALID,
-					new Object[] { HTMLEntityEncoder.htmlEntityEncode(uri) }));
+					new Object[] {}));
 			    return;			
 			}