What is the actual license the sanitizer is released under?

[the.chri...@gmail.com]

The project page at OWASP ( https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project ) says "Apache 2.0".

 

The distribution page at code.google.com ( https://code.google.com/p/owasp-java-html-sanitizer/ ) says "New BSD License", which links to page on the BSD 3-Clause license.

 

The actual distribution (at least as of 226) contains no reference to either of those licenses, but does contain the owasp-java-html-sanitizer-COPYING file, which seems to be a license from the project lead:

 

Copyright (c) 2011, Mike Samuel

All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 

Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the OWASP nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

 

So, is the real license for 226 reflected in that file?

 

If so, are the other places in error? Or do they represent an as yet unimplemented plan to change to a different license?

[Mike Samuel]

Sorry for the confusion.

I forget the discussion around this. I have habitually released
things under the Apache 2 license but IIRC OWASP tends to prefer New
BSD.

https://search.maven.org/remotecontent?filepath=com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/r239/owasp-java-html-sanitizer-r239.pom
has

<licenses>
<license>
<name>New BSD License</name>
<url>http://www.opensource.org/licenses/bsd-license.php</url>
<distribution>repo</distribution>
</license>
</licenses>

and I will continue to release it under that license.

Should you have a strong preference for Apache 2, I can probably cross
license the next release.
If not, I'll clean up the file headers to conform to agree with the
POM and COPYING.

> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Mike Samuel]

Actually, I spoke to soon.

OWASP says ( https://www.owasp.org/index.php/OWASP_Licenses#Licensing_of_OWASP_Projects
) :

> Apache 2.0
> (fewest restrictions, even allowing proprietary modifications
> and proprietary forks of your project, and more up-to-date than BSD license)

I don't want to require clients who are using it under the New BSD
license to change how they use it, so I'll probably just add a
<license> element and change CHANGES to indicate it's multiply
licensed, and change file headers to point to COPYING for the
verbiage.

[Jim Manico]

Mike,

The license is up to you, should I change the wiki to say apache 2?

--
Jim Manico
@Manicode
(808) 652-3805

[Chris McLaren]

New BSD is better for me--Apache 2.0 makes me jump through legal hoops to use at work, but New BSD I can pretty much just use "hoopless".

 

So if it's your position that it has been under that license (at least for 226-239), and will probably stay that way, I'm happy.

 

C.

>> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[Mike Samuel]

Jim, I'm leery of leaving people who might have used it assuming one
license out in the cold. Let's dual-license it.

[Jim Manico]

Gotchya, makes sense. I'll update the wiki and others pages soon.

--
Jim Manico
@Manicode
(808) 652-3805

[Jim Manico]

Is the the correct change folks?

https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project#Licensing

Aloha,
Jim

[Mike Samuel]

2014-06-15 22:01 GMT-04:00 Jim Manico <j...@manico.net>:
> Is the the correct change folks?
>
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project#Licensing

Sorry for the late response. I'm still on paternity leave.

Looks good to me. I made the changes to the .pom file, COPYING file,
and change log. The POM changes will be apparent in the next maven
push.

I did not muck with any copyright headers. The last thing I read from
legal counsel said that (c) headers are not required where there's a
clear license statement and should be left alone where they exist, but
not added to new files.