Skip to content

fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 #833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 29, 2024
Merged

fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 #833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,13 +243,18 @@
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.7.4</version>
<version>1.7.5</version>
<exclusions>
<!-- excluded because we directly import newer version below. -->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<!-- excluded because commons-beanutils imports a newer version. -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
Expand Down Expand Up @@ -281,7 +286,7 @@
-->
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.14.0</version>
<version>2.15.1</version>
</dependency>

<!-- SpotBugs dependencies -->
Expand Down
14 changes: 12 additions & 2 deletions src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,10 @@ public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
//
// See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details.
//
// The output has changed again as of AntiSamy 1.7.5. The expected output is now:
// Walert(1)
// See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5)
//
// Also, this test, which originally used Validator.isValidSafeHTML(), has been
// changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
// has been deprecated. See GitHub Security Advisory
Expand All @@ -375,7 +379,8 @@ public void testScriptTagAfterStyleClosing() throws Exception {
ValidationErrorList errors = new ValidationErrorList();
String input = "<select<style/>W<xmp<script>alert(1)</script>";
// String expected = "W&lt;script&gt;alert(1)&lt;/script&gt;"; // Before AntiSamy 1.7.4
String expected = "W&lt;xmp&lt;script&gt;alert(1)&lt;/script&gt;"; // AntiSamy 1.7.4 (and later?)
// String expected = "W&lt;xmp&lt;script&gt;alert(1)&lt;/script&gt;"; // AntiSamy 1.7.4
String expected = "Walert(1)"; // AntiSamy 1.7.5 (and later?)
String output = instance.getValidSafeHTML("escaping style tag attack with script tag", input, 250, false, errors);
assertEquals(expected, output);
assertTrue(errors.size() == 0);
Expand All @@ -392,6 +397,10 @@ public void testScriptTagAfterStyleClosing() throws Exception {
//
// See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details.
//
// The output has changed again as of AntiSamy 1.7.5. The expected output is now:
// kinput/onfocus=alert(1)&gt;
// See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5)
//
// Also, this test, which originally used Validator.isValidSafeHTML(), has been
// changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
// has been deprecated. See GitHub Security Advisory
Expand All @@ -405,7 +414,8 @@ public void testOnfocusAfterStyleClosing() throws Exception {
String input = "<select<style/>k<input<</>input/onfocus=alert(1)>";

// String expected = "k&lt;input/onfocus=alert(1)&gt;"; // Before AntiSamy 1.7.4
String expected = "k&lt;input&lt;&lt;/&gt;input/onfocus=alert(1)&gt;"; // AntiSamy 1.7.4 (and later?)
// String expected = "k&lt;input&lt;&lt;/&gt;input/onfocus=alert(1)&gt;"; // AntiSamy 1.7.4
String expected = "kinput/onfocus=alert(1)&gt;"; // AntiSamy 1.7.5 (and later?)
String output = instance.getValidSafeHTML("escaping style tag attack with onfocus attribute", input, 250, false, errors);
assertEquals(expected, output);
assertTrue(errors.size() == 0);
Expand Down