r198 changes CSS sanitizing

17 views

Skip to first unread message

Mike Samuel

unread,

Jul 24, 2013, 12:36:22 PM7/24/13

to owasp-java-html-s...@googlegroups.com

The latest release, r198, includes significant changes to CSS sanitization.

If you don't use allowStyling(), then you will see no changes.

For those who do allow styling, there has been no change w.r.t. the security posture.

CSS is still sanitized to prevent execution of JS, loading of URLs that might leak referrers, and prevent content from escaping its parent's clip region so as to preserve trusted path.

The set of CSS properties allowed has expanded, but the larger white-list was vetted with those same goals in mind.

I consider the new CSS parser stable, but if you have problems, don't hesitate to file a bug at https://code.google.com/p/owasp-java-html-sanitizer/issues/list and r173 is the latest version in maven prior to these changes and r175 is the equivalent available as pre-packaged JARs.

CHANGE LOG : https://owasp-java-html-sanitizer.googlecode.com/svn/trunk/CHANGE_LOG.html

MAVEN REPO : http://search.maven.org/#browse%7C84770979

OLDER JARS : https://code.google.com/p/owasp-java-html-sanitizer/downloads/list?can=1

Reply all

Reply to author

Forward

0 new messages