ZBUG-1932: Upgrading jar with new changes from owasp library v20211018.2

.travis.yml

@@ -0,0 +1,15 @@
+language: java
+sudo: false
+dist: trusty
+jdk:
+  # It's important to test on all these because of a horrible hack in the POM.
+# - openjdk6
+  - openjdk7
+  - oraclejdk8
+  - oraclejdk9
+  - oraclejdk11
+
+# Test each version with an appropriate Java version and flags to disable
+# GPG signing so that we don't have to provision Travis with private keys.
+install: true
+script: "$TRAVIS_BUILD_DIR/scripts/build_for_travis.sh"

html-types/pom.xml

@@ -20,6 +20,26 @@
 
   <build>
     <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-verifier-plugin</artifactId>
+        <configuration>
+            <verificationFile>src/test/resources/osgi-integration-verification.xml</verificationFile>
+        </configuration>
+        <executions>
+          <execution>
+            <id>main</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>verify</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 
@@ -54,9 +74,9 @@
   <reporting>
     <plugins>
       <plugin>
-        <groupId>org.codehaus.mojo</groupId>
-        <artifactId>findbugs-maven-plugin</artifactId>
-        <version>3.0.2</version>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>3.1.12.2</version>
         <configuration>
           <effort>Max</effort>
           <threshold>Low</threshold>

html-types/src/test/resources/osgi-integration-verification.xml

@@ -0,0 +1,10 @@
+<verifications xmlns="http://maven.apache.org/verifications/1.0.0"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://maven.apache.org/verifications/1.0.0 http://maven.apache.org/xsd/verifications-1.0.0.xsd">
+  <files>
+    <file>
+      <location>target/classes/META-INF/MANIFEST.MF</location>
+      <contains>Export-Package: org.owasp.html.htmltypes</contains>
+    </file>
+  </files>
+</verifications>

parent/pom.xml

@@ -67,12 +67,10 @@ application while protecting against XSS.
 
   <reporting>
     <plugins>
-      <!-- `mvn compile site` will generate target/site/findbugs.html -->
-      <!-- http://gleclaire.github.io/findbugs-maven-plugin/dependency-info.html -->
       <plugin>
-        <groupId>org.codehaus.mojo</groupId>
-        <artifactId>findbugs-maven-plugin</artifactId>
-        <version>3.0.2</version>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>3.1.12.2</version>
         <configuration>
           <!--
             Enables analysis which takes more memory but finds more bugs.
@@ -90,7 +88,7 @@ application while protecting against XSS.
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <guava.version>27.1-jre</guava.version>
+    <guava.version>30.1-jre</guava.version>
   </properties>
 
   <build>
@@ -153,7 +151,7 @@ application while protecting against XSS.
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-javadoc-plugin</artifactId>
-          <version>2.10.4</version>
+          <version>3.2.0</version>
           <executions>
             <execution>
               <id>attach-javadocs</id>
@@ -170,14 +168,15 @@ application while protecting against XSS.
             <excludePackageNames>*.example</excludePackageNames>
             <!-- The Javadoc that ships with JDK 8 is spammy.
                  http://docs.oracle.com/javase/8/docs/technotes/tools/unix/javadoc.html#BEJEFABE -->
-            <additionalparam>-Xdoclint:-missing</additionalparam>
+            <additionalOptions>-Xdoclint:-missing -html5</additionalOptions>
             <!-- workaround for https://bugs.openjdk.java.net/browse/JDK-8212233 -->
             <javaApiLinks>
               <property>
                 <name>foo</name>
                 <value>bar</value>
               </property>
             </javaApiLinks>
+            <source>6</source>
           </configuration>
         </plugin>
         <plugin>
@@ -194,6 +193,11 @@ application while protecting against XSS.
           <artifactId>maven-deploy-plugin</artifactId>
           <version>2.8.2</version>
         </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>2.9</version>
+        </plugin>
         <plugin>
           <groupId>org.jacoco</groupId>
           <artifactId>jacoco-maven-plugin</artifactId>
@@ -213,6 +217,17 @@ application while protecting against XSS.
             </dependency>
           </dependencies>
         </plugin>
+        <plugin>
+          <groupId>org.apache.felix</groupId>
+          <artifactId>maven-bundle-plugin</artifactId>
+          <extensions>true</extensions>
+          <version>3.5.0</version>
+        </plugin>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-verifier-plugin</artifactId>
+            <version>1.1</version>
+          </plugin>
       </plugins>
     </pluginManagement>
   </build>
@@ -244,13 +259,13 @@ application while protecting against XSS.
       <dependency>
         <groupId>com.google.protobuf</groupId>
         <artifactId>protobuf-java</artifactId>
-        <version>[3.7.0,)</version>
+        <version>3.9.1</version>
         <scope>provided</scope>
       </dependency>
       <dependency>
         <groupId>junit</groupId>
         <artifactId>junit</artifactId>
-        <version>4.12</version>
+        <version>4.13.1</version>
         <scope>test</scope>
       </dependency>
     </dependencies>

scripts/build_for_travis.sh

@@ -14,13 +14,16 @@ if echo $TRAVIS_JDK_VERSION | egrep -q '(jdk|jre)[67]($|[^0-9])'; then
     # The main library only uses jdk6 compatible dependencies,
     # but Guava 21.0 is compatibility with jdk 7.
     COMMON_FLAGS="$COMMON_FLAGS -Dguava.version=20.0"
-
+fi
+if echo $TRAVIS_JDK_VERSION | egrep -q '(jdk|jre)([678]|11)($|[^0-9])'; then
     # Older versions of javadoc barf on -Xdoclint flags used
     # to configure the maven-javadoc-plugin.
+    # JDK8 javadoc barfs on the flag "-html5]
+    # JDK11 barfs too.  https://bugs.openjdk.java.net/browse/JDK-8212233
+    # JDK9 is okay.  Yay!
     COMMON_FLAGS="$COMMON_FLAGS -Dmaven.javadoc.skip=true"
 fi
 
-
 echo "*** TRAVIS_JDK_VERSION=$TRAVIS_JDK_VERSION COMMON_FLAGS=($COMMON_FLAGS) IS_LEGACY=$IS_LEGACY"
 
 mvn install -DskipTests=true $COMMON_FLAGS

src/main/java/org/owasp/html/CssSchema.java

@@ -293,7 +293,9 @@ Property forKey(String propertyName) {
     ImmutableSet<String> mozOutlineLiterals3 = ImmutableSet.of(
         "hidden", "inherit", "inset", "invert", "medium", "none");
     ImmutableMap<String, String> mozOutlineFunctions =
-      ImmutableMap.<String, String>of("rgb(", "rgb()", "rgba(", "rgba()");
+      ImmutableMap.<String, String>of(
+        "rgb(", "rgb()", "rgba(", "rgba()",
+        "hsl(", "hsl()", "hsla(", "hsla()");
     ImmutableSet<String> mozOutlineColorLiterals0 =
       ImmutableSet.of("inherit", "invert");
     ImmutableSet<String> mozOutlineStyleLiterals0 =
@@ -324,6 +326,7 @@ Property forKey(String propertyName) {
       .put("repeating-linear-gradient(", "repeating-linear-gradient()")
       .put("repeating-radial-gradient(", "repeating-radial-gradient()")
       .put("rgb(", "rgb()").put("rgba(", "rgba()")
+      .put("hsl(", "hsl()").put("hsla(", "hsla()")
       .build();
     ImmutableSet<String> backgroundAttachmentLiterals0 =
       ImmutableSet.of(",", "fixed", "local", "scroll");
@@ -742,6 +745,9 @@ Property forKey(String propertyName) {
     builder.put("zoom", new Property(1, fontStretchLiterals1, zeroFns));
     Property rgb$Fun = new Property(1, rgb$FunLiterals0, zeroFns);
     builder.put("rgb()", rgb$Fun);
+    builder.put("rgba()", rgb$Fun);
+    builder.put("hsl()", rgb$Fun);
+    builder.put("hsla()", rgb$Fun);
     @SuppressWarnings("unchecked")
     Property image$Fun = new Property(
         18, union(mozOutlineLiterals0, rgb$FunLiterals0), mozOutlineFunctions);
@@ -835,7 +841,6 @@ Property forKey(String propertyName) {
     builder.put("width", margin);
     builder.put("word-spacing", letterSpacing);
     builder.put("z-index", bottom);
-    builder.put("rgba()", rgb$Fun);
     builder.put("repeating-linear-gradient()", linearGradient$Fun);
     builder.put("repeating-radial-gradient()", radialGradient$Fun);
     DEFINITIONS = builder.build();
@@ -961,6 +966,8 @@ private static <T> ImmutableSet<T> union(
       "repeating-radial-gradient()",
       "rgb()",
       "rgba()",
+      "hsl()",
+      "hsla()",
       "richness",
       "speak",
       "speak-header",

src/main/java/org/owasp/html/ElementAndAttributePolicies.java

@@ -35,26 +35,26 @@
 
 /**
  * Encapsulates all the information needed by the
- * {@link ElementAndAttributePolicySanitizerPolicy} to sanitize one kind
+ * {@link ElementAndAttributePolicyBasedSanitizerPolicy} to sanitize one kind
  * of element.
  */
 @Immutable
 final class ElementAndAttributePolicies {
   final String elementName;
   final ElementPolicy elPolicy;
   final ImmutableMap<String, AttributePolicy> attrPolicies;
-  final boolean skipIfEmpty;
+  final HtmlTagSkipType htmlTagSkipType;
 
   ElementAndAttributePolicies(
       String elementName,
       ElementPolicy elPolicy,
       Map<? extends String, ? extends AttributePolicy>
         attrPolicies,
-      boolean skipIfEmpty) {
+      HtmlTagSkipType htmlTagSkipType) {
     this.elementName = elementName;
     this.elPolicy = elPolicy;
     this.attrPolicies = ImmutableMap.copyOf(attrPolicies);
-    this.skipIfEmpty = skipIfEmpty;
+    this.htmlTagSkipType = htmlTagSkipType;
   }
 
   ElementAndAttributePolicies and(ElementAndAttributePolicies p) {
@@ -78,24 +78,11 @@ ElementAndAttributePolicies and(ElementAndAttributePolicies p) {
       }
     }
 
-    // HACK: this is attempting to recognize when skipIfEmpty has been
-    // explicitly set in HtmlPolicyBuilder and can only make a best effort at
-    // that and is also too tightly coupled with HtmlPolicyBuilder.
-    // Maybe go tri-state.
-    boolean combinedSkipIfEmpty;
-    if (HtmlPolicyBuilder.DEFAULT_SKIP_IF_EMPTY.contains(elementName)) {
-      // Either policy explicitly opted out of skip if empty.
-      combinedSkipIfEmpty = skipIfEmpty && p.skipIfEmpty;
-    } else {
-      // Either policy explicitly specified skip if empty.
-      combinedSkipIfEmpty = skipIfEmpty || p.skipIfEmpty;
-    }
-
     return new ElementAndAttributePolicies(
         elementName,
         ElementPolicy.Util.join(elPolicy, p.elPolicy),
         joinedAttrPolicies.build(),
-        combinedSkipIfEmpty);
+        this.htmlTagSkipType.and(p.htmlTagSkipType));
   }
 
   ElementAndAttributePolicies andGlobals(
@@ -130,7 +117,7 @@ ElementAndAttributePolicies andGlobals(
     }
     if (anded == null) { return this; }
     return new ElementAndAttributePolicies(
-        elementName, elPolicy, anded, skipIfEmpty);
+        elementName, elPolicy, anded, htmlTagSkipType);
   }
 
 }

src/main/java/org/owasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java

@@ -104,7 +104,7 @@ public void openTag(String elementName, List<String> attrs) {
     ElementAndAttributePolicies policies = elAndAttrPolicies.get(elementName);
     String adjustedElementName = applyPolicies(elementName, attrs, policies);
     if (adjustedElementName != null
-        && !(attrs.isEmpty() && policies.skipIfEmpty)) {
+        && !(attrs.isEmpty() && policies.htmlTagSkipType.skipAvailability())) {
       writeOpenTag(policies, adjustedElementName, attrs);
       return;
     }
@@ -144,7 +144,7 @@ public void openTag(String elementName, List<String> attrs) {
 
       adjustedElementName = policies.elPolicy.apply(elementName, attrs);
       if (adjustedElementName != null) {
-        adjustedElementName = HtmlLexer.canonicalName(adjustedElementName);
+        adjustedElementName = HtmlLexer.canonicalElementName(adjustedElementName);
       }
     } else {
       adjustedElementName = null;