Update antisamy 1.6.2
Activity

David Horwitz April 13, 2021 at 12:51 AM

David Horwitz March 27, 2021 at 3:54 AM
NOTE: Schema validation behavior change starting with AntiSamy 1.6.0
While working on some improvements to AntiSamy's XML Schema Definition (XSD) for AntiSamy policy files, we noticed that AntiSamy was NOT actually enforcing the XSD. So, we've CHANGED the default behavior starting with AntiSamy 1.6.0 to enforce the schema, and not continue if the AntiSamy policy is invalid. However ...
we recognize that it might not be possible for developers to fix their AntiSamy policies right away if they are non-compliant, and yet still want to upgrade AntiSamy to pick up any security improvements, feature enhancements, and bug fixes. As such, we've provided two ways to (temporarily!) disable schema validation:
Set the Java System property: owasp.validator.validateschema to false. This can be done at the command line (e.g., -Dowasp.validator.validateschema=false) or via the Java System properties file. Neither requires a code change.
Change the code using AntiSamy to invoke: Policy.setSchemaValidation(false) before loading the AntiSamy policy. This is a static call so once disabled, it is disabled for all new Policy instances.
To encourage AntiSamy users to only use XSD compliant policies, AntiSamy will always log some type of warning when schema validation is disabled. It will either WARN that the policy is non-compliant so it can be fixed, or it will WARN that the policy is compliant, but schema validation is OFF, so validation should be turned back on (i.e., stop disabling it). We also added INFO level logging when AntiSamy schema's are loaded and validated.
Release version 1.6.0
@davewichers davewichers released this 22 days ago · 23 commits to master since this release
This release includes a few minor bug fixes and all available upgrades to the libraries and plugins used by the project, including a few upgrades that eliminate known CVEs in those libraries.
The one major change in this release is that AntiSamy XSD schema validation is now enabled by default starting with AntiSamy 1.6.0.
While working on some improvements to AntiSamy's XML Schema Definition (XSD) for AntiSamy policy files, we noticed that AntiSamy was NOT actually enforcing the XSD. So, we've CHANGED the default behavior starting with AntiSamy 1.6.0 to enforce the schema, and not continue if the AntiSamy policy is invalid. However ... we recognize that it might not be possible for developers to fix their AntiSamy policies right away if they are non-compliant, and yet still want to upgrade AntiSamy to pick up any security improvements, feature enhancements, and bug fixes. As such, we've provided two ways to (temporarily!) disable schema validation.
Please read the section "### NOTE: Schema validation behavior change starting with AntiSamy 1.6.0" in the README for details on how to (temporarily) disable schema validation for AntiSamy if your project needs to do so.
Release version 1.6.1
@davewichers davewichers released this 18 days ago · 17 commits to master since this release
The 1.6.0 release erroneously listed slf4j as the logging API, but then directly used log4j. This release eliminates the use of log4j entirely, using slf4j. The 1.6.1 release includes the slf4j-simple logging library, but AntiSamy users can exclude this library and use whatever slf4j logging library they prefer. Please read the README for more details.
Release version 1.6.2
@davewichers davewichers released this 9 days ago
This release fixes bug #75 reported by the OWASP ESAPI team, and adds some new JavaDoc to the Policy.java class describing the major changes to AntiSamy in the 1.6+ release.