From afc252e07d457faedde073f53178d6470d96e29b Mon Sep 17 00:00:00 2001 From: Michele Preziuso Date: Wed, 28 Feb 2024 21:49:34 +0000 Subject: [PATCH] fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 --- pom.xml | 9 +++++++-- .../validation/HTMLValidationRuleCleanTest.java | 14 ++++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 8a159d823..c07caedc7 100644 --- a/pom.xml +++ b/pom.xml @@ -243,13 +243,18 @@ org.owasp.antisamy antisamy - 1.7.4 + 1.7.5 org.slf4j slf4j-api + + + commons-logging + commons-logging + @@ -281,7 +286,7 @@ --> commons-io commons-io - 2.14.0 + 2.15.1 diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java index b5d516456..c28d24f9d 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java @@ -362,6 +362,10 @@ public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception { // // See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details. // + // The output has changed again as of AntiSamy 1.7.5. The expected output is now: + // Walert(1) + // See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5) + // // Also, this test, which originally used Validator.isValidSafeHTML(), has been // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML() // has been deprecated. See GitHub Security Advisory @@ -375,7 +379,8 @@ public void testScriptTagAfterStyleClosing() throws Exception { ValidationErrorList errors = new ValidationErrorList(); String input = "Walert(1)"; // String expected = "W<script>alert(1)</script>"; // Before AntiSamy 1.7.4 - String expected = "W<xmp<script>alert(1)</script>"; // AntiSamy 1.7.4 (and later?) + // String expected = "W<xmp<script>alert(1)</script>"; // AntiSamy 1.7.4 + String expected = "Walert(1)"; // AntiSamy 1.7.5 (and later?) String output = instance.getValidSafeHTML("escaping style tag attack with script tag", input, 250, false, errors); assertEquals(expected, output); assertTrue(errors.size() == 0); @@ -392,6 +397,10 @@ public void testScriptTagAfterStyleClosing() throws Exception { // // See AntiSamy GitHub issue #380 (https://github.com/nahsra/antisamy/issues/389) for more details. // + // The output has changed again as of AntiSamy 1.7.5. The expected output is now: + // kinput/onfocus=alert(1)> + // See AntiSamy Release notes for 1.7.5 (https://github.com/nahsra/antisamy/releases/tag/v1.7.5) + // // Also, this test, which originally used Validator.isValidSafeHTML(), has been // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML() // has been deprecated. See GitHub Security Advisory @@ -405,7 +414,8 @@ public void testOnfocusAfterStyleClosing() throws Exception { String input = "kinput/onfocus=alert(1)>"; // String expected = "k<input/onfocus=alert(1)>"; // Before AntiSamy 1.7.4 - String expected = "k<input<</>input/onfocus=alert(1)>"; // AntiSamy 1.7.4 (and later?) + // String expected = "k<input<</>input/onfocus=alert(1)>"; // AntiSamy 1.7.4 + String expected = "kinput/onfocus=alert(1)>"; // AntiSamy 1.7.5 (and later?) String output = instance.getValidSafeHTML("escaping style tag attack with onfocus attribute", input, 250, false, errors); assertEquals(expected, output); assertTrue(errors.size() == 0);