Edited CssSchema to preserve hsl() and hsla() functions

README.md

@@ -1,6 +1,6 @@
 # OWASP Java HTML Sanitizer
 
-[<img src="https://travis-ci.org/OWASP/java-html-sanitizer.svg">](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=master)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=master) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer)
+[<img src="https://travis-ci.org/OWASP/java-html-sanitizer.svg">](https://travis-ci.org/OWASP/java-html-sanitizer) [![Coverage Status](https://coveralls.io/repos/github/OWASP/java-html-sanitizer/badge.svg?branch=main)](https://coveralls.io/github/OWASP/java-html-sanitizer?branch=main) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2602/badge)](https://bestpractices.coreinfrastructure.org/projects/2602) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/badge.png?style=plastic)](https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer)
 
 
 A fast and easy to configure HTML Sanitizer written in Java which lets
@@ -35,7 +35,7 @@ how to get started with or without Maven.
 ## Prepackaged Policies
 
 You can use
-[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/Sanitizers.html):
+[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/Sanitizers.html):
 
 ```Java
 PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
@@ -45,9 +45,9 @@ String safeHTML = policy.sanitize(untrustedHTML);
 ## Crafting a policy
 
 The
-[tests](https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
+[tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
 show how to configure your own
-[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlPolicyBuilder.html):
+[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/HtmlPolicyBuilder.html):
 
 ```Java
 PolicyFactory policy = new HtmlPolicyBuilder()
@@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
 ## Custom Policies
 
 You can write
-[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/ElementPolicy.html)
+[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/ElementPolicy.html)
 to do things like changing `h1`s to `div`s with a certain class:
 
 ```Java
@@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()`
 method if you want them to be allowed through the filter when these
 elements do not include any attributes.
 
-[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/AttributePolicy.html) allow running custom code too.  Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
+[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/AttributePolicy.html) allow running custom code too.  Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
 
 ```Java
 new HtmlPolicyBuilder = new HtmlPolicyBuilder()
@@ -153,7 +153,7 @@ of the output.
 
 ## Telemetry
 
-When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlChangeListener.html).
+When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/HtmlChangeListener.html).
 
 You can use this to keep track of policy violation trends and find out when someone
 is making an effort to breach your security.
@@ -187,7 +187,7 @@ used HTML parsers will agree on the meaning of, but the absence of
 notifications does not mean that the input is in such a sub-set,
 only that it does not contain elements or attributes that were removed.
 
-See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md) for more on this topic.
+See ["Why sanitize when you can validate"](https://github.com/OWASP/java-html-sanitizer/blob/main/docs/html-validation.md) for more on this topic.
 
 ## Questions?
 
@@ -206,7 +206,7 @@ We welcome [issue reports](https://github.com/OWASP/java-html-sanitizer/issues)
 PRs that change behavior or that add functionality should include both positive and
 [negative tests](https://www.guru99.com/negative-testing.html).
 
-Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/master/COPYING).
+Please be aware that contributions fall under the [Apache 2.0 License](https://github.com/OWASP/java-html-sanitizer/blob/main/COPYING).
 
 ## Credits
 

RELEASE-checklist.sh

@@ -16,7 +16,7 @@ mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f aggregate
 echo
 echo Browse to
 echo "file://$PWD/target/site"
-echo and check the findbugs and jacoco reports.
+echo and check the spotbugs and jacoco reports.
 
 echo
 echo Check https://central.sonatype.org/pages/apache-maven.html#nexus-staging-maven-plugin-for-deployment-and-release
@@ -92,7 +92,7 @@ find . -name pom.xml \
 
 git commit -am "Bumped dev version"
 
-git push origin master --tags
+git push origin main --tags
 
 # Now Release
 echo '1. Go to oss.sonatype.org'

aggregate/pom.xml

@@ -3,12 +3,12 @@
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>aggregate</artifactId>
   <packaging>pom</packaging>
-  <version>20191001.2-SNAPSHOT</version>
+  <version>20200713.2-SNAPSHOT</version>
   <parent>
     <relativePath>../parent</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20191001.2-SNAPSHOT</version>
+    <version>20200713.2-SNAPSHOT</version>
   </parent>
 
   <modules>

change_log.md

@@ -1,8 +1,15 @@
 # OWASP Java HTML Sanitizer Change Log
 
 Most recent at top.
-  * Pending
-    * Fix table formatting
+  * Release 20200713.1
+    * Do not lower-case SVG/MathML names.
+      This shouldn't cause problems since it was hard to write policies for
+      SBG, but be aware that SVG's `<textArea>` is now distinct from HTML's `<textarea>`.
+  * Release 20200615.1
+    * Change `.and` when combining two policies to respect explicit `skipIfEmpty` decisions.
+    * HTML entity decoding now follows HTML standard rules about when a semicolon is optional.
+      [Fixes #193](https://github.com/OWASP/java-html-sanitizer/issues/193)
+    * Fix table formatting [#137](https://github.com/OWASP/java-html-sanitizer/issues/137)
   * Release 20191001.1
     * Package as an OSGI bundle
   * Release 20190610.1

docs/getting_started.md

@@ -23,23 +23,23 @@ to one of your project's `.java` files and compile it.
 ## Using the APIs
 
 The
-[examples](https://github.com/OWASP/java-html-sanitizer/tree/master/src/main/java/org/owasp/html/examples)
+[examples](https://github.com/OWASP/java-html-sanitizer/tree/main/src/main/java/org/owasp/html/examples)
 include source code which defines a sanitization policy, and applies
 it to HTML.
 
 The
 [javadoc](http://javadoc.io/doc/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/)
 covers more detailed topics, including
-[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlPolicyBuilder.html).
+[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/HtmlPolicyBuilder.html).
 
 Important classes are:
 
-  * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
-  * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.
+  * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
+  * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.
 
 For advanced use, see:
-  * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
-  * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.
+  * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
+  * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.
 
 ## Asking Questions
 

docs/maven.md

@@ -23,7 +23,7 @@ Bigger numbers are more recent and the [change log](../change_log.md)
 can shed light on the salient differences.
 
 You should be able to build with the HTML sanitizer.  You can read the
-[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/index.html),
+[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20200713.1/index.html),
 and if you have questions that aren't answered by these wiki pages,
 you can ask on the
 [mailing list](http://groups.google.com/group/owasp-java-html-sanitizer-support).

empiricism/pom.xml

@@ -2,13 +2,13 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>html-types</artifactId>
-  <version>20191001.2-SNAPSHOT</version>
+  <version>20200713.2-SNAPSHOT</version>
   <packaging>jar</packaging>
   <parent>
     <relativePath>../parent</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20191001.2-SNAPSHOT</version>
+    <version>20200713.2-SNAPSHOT</version>
   </parent>
 
   <name>empiricism</name>

html-types/pom.xml

@@ -2,13 +2,13 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>html-types</artifactId>
-  <version>20191001.2-SNAPSHOT</version>
+  <version>20200713.2-SNAPSHOT</version>
   <packaging>bundle</packaging>
   <parent>
     <relativePath>../parent</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20191001.2-SNAPSHOT</version>
+    <version>20200713.2-SNAPSHOT</version>
   </parent>
 
   <name>OWASP Java HTML Sanitizer Safe HTML Compatibility</name>

html-types/src/main/java/org/owasp/html/htmltypes/SafeHtmlMint.java

@@ -45,7 +45,7 @@
  * This class is safe when the policy factories passed to it are safe.
  * <a href="https://github.com/mikesamuel/fences-maven-enforcer-rule">Fences</a>
  * can be used to control access to {@link SafeHtmlMint#fromPolicyFactory}
- * as needed, and <a href="https://github.com/mikesamuel/fences-maven-enforcer-rule/blob/master/src/site/markdown/caveats.md">the plausible deniability</a>
+ * as needed, and <a href="https://github.com/mikesamuel/fences-maven-enforcer-rule/blob/main/src/site/markdown/caveats.md">the plausible deniability</a>
  * standard can be extended to writing policies that white-list known-unsafe
  * content.
  */

html-types/src/main/java/org/owasp/html/htmltypes/package-info.java

@@ -28,9 +28,9 @@
 
 /**
  * Wraps HTML policy builders to produce
- * <a href="https://github.com/google/safe-html-types/blob/master/doc/safehtml-types.md">Safe HTML</a>.
+ * <a href="https://github.com/google/safe-html-types/blob/main/doc/safehtml-types.md">Safe HTML</a>.
  * <p>
- * @see <a href="https://github.com/OWASP/java-html-sanitizer/blob/master/docs/credits.md">usage</a>
+ * @see <a href="https://github.com/OWASP/java-html-sanitizer/blob/main/docs/credits.md">usage</a>
  * @author Mike Samuel ([email protected])
  */
 @javax.annotation.ParametersAreNonnullByDefault

parent/pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>parent</artifactId>
-  <version>20191001.2-SNAPSHOT</version>
+  <version>20200713.2-SNAPSHOT</version>
 
   <packaging>pom</packaging>
 

pom.xml

@@ -6,7 +6,7 @@
     <relativePath>parent</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20191001.2-SNAPSHOT</version>
+    <version>20200713.2-SNAPSHOT</version>
   </parent>
 
   <name>OWASP Java HTML Sanitizer</name>

src/main/java/org/owasp/html/CssSchema.java

@@ -293,7 +293,7 @@ Property forKey(String propertyName) {
     ImmutableSet<String> mozOutlineLiterals3 = ImmutableSet.of(
         "hidden", "inherit", "inset", "invert", "medium", "none");
     ImmutableMap<String, String> mozOutlineFunctions =
-      ImmutableMap.<String, String>of("rgb(", "rgb()", "rgba(", "rgba()");
+      ImmutableMap.<String, String>of("rgb(", "rgb()", "rgba(", "rgba()","hsl(","hsl()","hsla(","hsla()");
     ImmutableSet<String> mozOutlineColorLiterals0 =
       ImmutableSet.of("inherit", "invert");
     ImmutableSet<String> mozOutlineStyleLiterals0 =
@@ -323,7 +323,7 @@ Property forKey(String propertyName) {
       .put("radial-gradient(", "radial-gradient()")
       .put("repeating-linear-gradient(", "repeating-linear-gradient()")
       .put("repeating-radial-gradient(", "repeating-radial-gradient()")
-      .put("rgb(", "rgb()").put("rgba(", "rgba()")
+      .put("rgb(", "rgb()").put("rgba(", "rgba()").put("hsl(", "hsl()").put("hsla(","hsla()")
       .build();
     ImmutableSet<String> backgroundAttachmentLiterals0 =
       ImmutableSet.of(",", "fixed", "local", "scroll");
@@ -467,6 +467,8 @@ Property forKey(String propertyName) {
     ImmutableSet<String> wordWrapLiterals0 = ImmutableSet.of(
         "break-word", "normal");
     ImmutableSet<String> rgb$FunLiterals0 = ImmutableSet.of(",");
+
+
     ImmutableSet<String> linearGradient$FunLiterals0 = ImmutableSet.of(
         ",", "to");
     ImmutableSet<String> radialGradient$FunLiterals0 = ImmutableSet.of(
@@ -742,6 +744,9 @@ Property forKey(String propertyName) {
     builder.put("zoom", new Property(1, fontStretchLiterals1, zeroFns));
     Property rgb$Fun = new Property(1, rgb$FunLiterals0, zeroFns);
     builder.put("rgb()", rgb$Fun);
+
+    builder.put("hsl()", rgb$Fun);
+    builder.put("hsla()", rgb$Fun);
     @SuppressWarnings("unchecked")
     Property image$Fun = new Property(
         18, union(mozOutlineLiterals0, rgb$FunLiterals0), mozOutlineFunctions);
@@ -961,6 +966,8 @@ private static <T> ImmutableSet<T> union(
       "repeating-radial-gradient()",
       "rgb()",
       "rgba()",
+      "hsl()",
+      "hsla()",
       "richness",
       "speak",
       "speak-header",

src/main/java/org/owasp/html/ElementAndAttributePolicies.java

@@ -35,7 +35,7 @@
 
 /**
  * Encapsulates all the information needed by the
- * {@link ElementAndAttributePolicySanitizerPolicy} to sanitize one kind
+ * {@link ElementAndAttributePolicyBasedSanitizerPolicy} to sanitize one kind
  * of element.
  */
 @Immutable

src/main/java/org/owasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java

@@ -144,7 +144,7 @@ public void openTag(String elementName, List<String> attrs) {
 
       adjustedElementName = policies.elPolicy.apply(elementName, attrs);
       if (adjustedElementName != null) {
-        adjustedElementName = HtmlLexer.canonicalName(adjustedElementName);
+        adjustedElementName = HtmlLexer.canonicalElementName(adjustedElementName);
       }
     } else {
       adjustedElementName = null;