diff --git a/pom.xml b/pom.xml
index 8a159d823..c07caedc7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -243,13 +243,18 @@
org.owasp.antisamy
antisamy
- 1.7.4
+ 1.7.5
org.slf4j
slf4j-api
+
+
+ commons-logging
+ commons-logging
+
@@ -281,7 +286,7 @@
-->
commons-io
commons-io
- 2.14.0
+ 2.15.1
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index b5d516456..c28d24f9d 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -362,6 +362,10 @@ public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
//
// See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details.
//
+ // The output has changed again as of AntiSamy 1.7.5. The expected output is now:
+ // Walert(1)
+ // See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5)
+ //
// Also, this test, which originally used Validator.isValidSafeHTML(), has been
// changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
// has been deprecated. See GitHub Security Advisory
@@ -375,7 +379,8 @@ public void testScriptTagAfterStyleClosing() throws Exception {
ValidationErrorList errors = new ValidationErrorList();
String input = "Walert(1)";
// String expected = "W<script>alert(1)</script>"; // Before AntiSamy 1.7.4
- String expected = "W<xmp<script>alert(1)</script>"; // AntiSamy 1.7.4 (and later?)
+ // String expected = "W<xmp<script>alert(1)</script>"; // AntiSamy 1.7.4
+ String expected = "Walert(1)"; // AntiSamy 1.7.5 (and later?)
String output = instance.getValidSafeHTML("escaping style tag attack with script tag", input, 250, false, errors);
assertEquals(expected, output);
assertTrue(errors.size() == 0);
@@ -392,6 +397,10 @@ public void testScriptTagAfterStyleClosing() throws Exception {
//
// See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details.
//
+ // The output has changed again as of AntiSamy 1.7.5. The expected output is now:
+ // kinput/onfocus=alert(1)>
+ // See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5)
+ //
// Also, this test, which originally used Validator.isValidSafeHTML(), has been
// changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
// has been deprecated. See GitHub Security Advisory
@@ -405,7 +414,8 @@ public void testOnfocusAfterStyleClosing() throws Exception {
String input = "kinput/onfocus=alert(1)>";
// String expected = "k<input/onfocus=alert(1)>"; // Before AntiSamy 1.7.4
- String expected = "k<input<</>input/onfocus=alert(1)>"; // AntiSamy 1.7.4 (and later?)
+ // String expected = "k<input<</>input/onfocus=alert(1)>"; // AntiSamy 1.7.4
+ String expected = "kinput/onfocus=alert(1)>"; // AntiSamy 1.7.5 (and later?)
String output = instance.getValidSafeHTML("escaping style tag attack with onfocus attribute", input, 250, false, errors);
assertEquals(expected, output);
assertTrue(errors.size() == 0);