Skip to content

Commit

Permalink
Merge pull request #16 from digipost/upgrade-sanitizer
Browse files Browse the repository at this point in the history 
Upgrade sanitizer
  • Loading branch information
@draperunner
draperunner authored Apr 15, 2024
2 parents 90b65f8 + 896477c commit 57d8d89
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 22 deletions.
9 changes: 2 additions & 7 deletions NOTICE
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,9 @@ specific language governing permissions and limitations
under the License.

This project includes:
Checker Qual under The MIT License
digipost-html-validator under Apache License, Version 2.0
error-prone annotations under Apache 2.0
FindBugs-jsr305 under The Apache Software License, Version 2.0
Guava InternalFutureFailureAccess and InternalFutures under The Apache Software License, Version 2.0
Guava ListenableFuture only under The Apache Software License, Version 2.0
Guava: Google Core Libraries for Java under Apache License, Version 2.0
J2ObjC Annotations under Apache License, Version 2.0
Java 10 Shim under Apache License, Version 2.0
Java 8 Shim under Apache License, Version 2.0
OWASP Java HTML Sanitizer under Apache License, Version 2.0
SLF4J API Module under MIT License

12 changes: 3 additions & 9 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- Override Guava version of owasp-java-html-sanitizer to fix vulnerability -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>32.1.2-jre</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand All @@ -61,17 +55,17 @@
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20211018.2</version>
<version>20240325.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.32</version>
<version>1.7.36</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
<version>2.16.1</version>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
4 changes: 1 addition & 3 deletions ...ipost/sanitizing/HtmlValidatorTestV1.java → ...ipost/sanitizing/HtmlValidatorV1Test.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,14 @@
import org.junit.jupiter.api.Test;

import java.time.Clock;
import java.time.Instant;
import java.time.ZoneOffset;

import static no.digipost.sanitizing.internal.PolicyFactoryProvider.V2_IN_EFFECT;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertSame;
import static org.junit.jupiter.api.Assertions.assertTrue;

class HtmlValidatorTestV1 {
class HtmlValidatorV1Test {

private final HtmlValidator V1_validator = new HtmlValidator(Clock.fixed(PolicyFactoryProvider.V2_IN_EFFECT.minusSeconds(1), ZoneOffset.UTC));

Expand Down
2 changes: 1 addition & 1 deletion ...ipost/sanitizing/HtmlValidatorTestV2.java → ...ipost/sanitizing/HtmlValidatorV2Test.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
import static org.junit.jupiter.api.Assertions.assertSame;
import static org.junit.jupiter.api.Assertions.assertTrue;

class HtmlValidatorTestV2 {
class HtmlValidatorV2Test {

private final HtmlValidator V2_validator = new HtmlValidator(Clock.fixed(PolicyFactoryProvider.V2_IN_EFFECT, ZoneOffset.UTC));

Expand Down
11 changes: 9 additions & 2 deletions src/test/java/no/digipost/sanitizing/internal/RichHtmlValidatorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

import no.digipost.sanitizing.DigipostValidatingHtmlSanitizer;
import no.digipost.sanitizing.exception.ValidationException;
import static org.junit.jupiter.api.Assertions.assertTrue;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertEquals;
Expand Down Expand Up @@ -190,13 +191,19 @@ public void skal_tillate_maillenker_uten_target_blank() {
@Test
public void skal_bruke_target_blank_på_lenker_ved_andre_targets() {
String validatedHtml = validator.sanitize("<a href=\"http://example.org\" target=\"_self\">Clicky clicky</a>", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY);
assertEquals("<a href=\"http://example.org\" target=\"_blank\" rel=\"nofollow noreferrer noopener\">Clicky clicky</a>", validatedHtml);
assertTrue(validatedHtml.contains("target=\"_blank\""));
assertTrue(validatedHtml.contains("noopener"));
assertTrue(validatedHtml.contains("noreferrer"));
assertTrue(validatedHtml.contains("nofollow"));
}

@Test
public void skal_legge_på_target_blank_ved_manglende_target() {
String validatedHtml = validator.sanitize("<a href=\"http://example.org\">Clicky clicky</a>", ApiHtmlValidatorPolicy.V2_VALIDATE_HTML_AND_CSS_POLICY);
assertEquals("<a href=\"http://example.org\" target=\"_blank\" rel=\"nofollow noreferrer noopener\">Clicky clicky</a>", validatedHtml);
assertTrue(validatedHtml.contains("target=\"_blank\""));
assertTrue(validatedHtml.contains("noopener"));
assertTrue(validatedHtml.contains("noreferrer"));
assertTrue(validatedHtml.contains("nofollow"));
}

// https://nvd.nist.gov/vuln/detail/CVE-2021-42575
Expand Down

0 comments on commit 57d8d89

Please sign in to comment.