CVE-2021-42575: OWASP HTML Sanitizer policies that allow <style> in <option> are vulnerable

[Mike Samuel]

Details at https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit#

If a policy allows <select>, <option>, and <style> tags, then a payload like
    <select><option><style><script>alert(1)</script></style></option></select>
will XSS.

Stock HTML sanitizer policies are not affected.

We recommend upgrading to release 20211018.1

This latest release has some potentially breaking changes.

If you allow <style> element content, it will now be wrapped to prevent it from being interpreted as mixed content.  That means that <style> text content that includes substrings like `-->` or `]]>` will now be rejected.

For a full list of known vulnerabilities in this project and affected versions, see https://github.com/OWASP/java-html-sanitizer/blob/main/docs/vulnerabilities.md