ZBUG-1932: Upgrading owasp-java-html-sanitizer version (#1227)

Zimbra · Mar 14, 2022 · 83c8cde · 83c8cde
1 parent 3ab614f
commit 83c8cde
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/store/build.xml b/store/build.xml
@@ -288,8 +288,8 @@
     <ivy:install organisation="oauth" module="oauth" revision="1.4" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
     <ivy:install organisation="org.apache.xmlgraphics" module="batik-css" revision="1.7" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
     <ivy:install organisation="org.w3c.css" module="sac" revision="1.3" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
-    <ivy:install organisation="org.apache.xmlgraphics" module="batik-i18n" revision="1.9" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
-    <ivy:install organisation="org.apache.xmlgraphics" module="batik-util" revision="1.8" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
+    <ivy:install organisation="org.apache.xmlgraphics" module="batik-i18n" revision="1.14" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
+    <ivy:install organisation="org.apache.xmlgraphics" module="batik-util" revision="1.14" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
   	<ivy:install organisation="org.springframework" module="spring-aop" revision="5.1.10.RELEASE" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
     <ivy:install organisation="org.springframework" module="spring-beans" revision="5.1.10.RELEASE" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>
     <ivy:install organisation="org.springframework" module="spring-context" revision="5.1.10.RELEASE" settingsRef="dev.settings" from="chain-resolver" to="build-tmp" overwrite="true" transitive="true" type="jar"/>

diff --git a/store/ivy.xml b/store/ivy.xml
@@ -44,9 +44,7 @@
   <dependency org="com.101tec" name="zkclient" rev="0.1.0"/>
   <dependency org="xerces" name="xercesImpl" rev="2.9.1-patch-01"/>
   <dependency org="net.sourceforge.nekohtml" name="nekohtml" rev="1.9.13.1z"/>
-  <!--Build uses the custom version 20190610.1z of owasp lib.
-  Not updating custom version here as the version 20190610.1 is only used for compilation.-->
-  <dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20190610.3z"/>
+  <dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20190610.4z"/>
   <dependency org="org.ehcache" name="ehcache" rev="3.1.2"/>
   <dependency org="ant-1.7.0-ziputil-patched" name="ant-1.7.0-ziputil-patched" rev="1.0"/>
   <dependency org="org.eclipse.jetty" name="jetty-continuation" rev="${jetty.version}"/>
@@ -123,7 +121,7 @@
   <dependency org="org.owasp.antisamy" name="antisamy" rev="1.5.8"/>
   <dependency org="org.apache.xmlgraphics" name="batik-css" rev="1.7"/>
   <dependency org="org.w3c.css" name="sac" rev="1.3"/>
-  <dependency org="org.apache.xmlgraphics" name="batik-i18n" rev="1.9"/>
-  <dependency org="org.apache.xmlgraphics" name="batik-util" rev="1.8"/>
+  <dependency org="org.apache.xmlgraphics" name="batik-i18n" rev="1.14"/>
+  <dependency org="org.apache.xmlgraphics" name="batik-util" rev="1.14"/>
  </dependencies>
 </ivy-module>
diff --git a/store/src/java-test/com/zimbra/cs/html/owasp/OwaspHtmlSanitizerTest.java b/store/src/java-test/com/zimbra/cs/html/owasp/OwaspHtmlSanitizerTest.java
@@ -42,6 +42,7 @@
 import com.zimbra.cs.mime.ParsedMessage;
 import com.zimbra.cs.servlet.ZThreadLocal;
 import com.zimbra.cs.util.ZTestWatchman;
+import org.owasp.html.Encoding;
 
 public class OwaspHtmlSanitizerTest {
 
@@ -734,5 +735,31 @@ public void testBugZCS10594() throws Exception {
         String output = "<html><head><style>.uegzbq{font-size:22px;}@media not all and (pointer:coarse){.8bsfb:hover{background-color:#056b27;}}.scem3j{font-size:25px;}</style></head><body><div class=\"uegzbq\">First Line</div><br /><div class=\"scem3j\">Second Line</div></body></html>";
         Assert.assertTrue("Verification failed: Failed to include media queries.", output.equals(result.trim()));
     }
-
+
+    @Test
+    public void testBug1932ShouldReturnSameUrlAfterSanitizing_1() throws Exception {
+        String url = "https://google.com/?page=red.blue&num_ar=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        //&num should not be converted to #
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932ShouldReturnSameUrlAfterSanitizing_2() throws Exception {
+        String url = "https://google.com/?page=red.blue&numero_num=10&Integral_int=20";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        //&numero and &Integral should not be converted to № and ∫
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932ShouldReturnSameUrlAfterSanitizing_3() throws Exception {
+        String url = "https://google.com/?account=2&order_id=125";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        //&order should not be converted to ℴ
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
 }