ZBUG-1932: Upgrading owasp-java-html-sanitizer version

store/ivy.xml

@@ -44,7 +44,7 @@
   <dependency org="com.101tec" name="zkclient" rev="0.1.0"/>
   <dependency org="xerces" name="xercesImpl" rev="2.9.1-patch-01"/>
   <dependency org="net.sourceforge.nekohtml" name="nekohtml" rev="1.9.13.1z"/>
-  <dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20190610.3z"/>
+  <dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20190610.4z"/>
   <dependency org="org.ehcache" name="ehcache" rev="3.1.2"/>
   <dependency org="ant-1.7.0-ziputil-patched" name="ant-1.7.0-ziputil-patched" rev="1.0"/>
   <dependency org="org.eclipse.jetty" name="jetty-continuation" rev="${jetty.version}"/>
@@ -138,5 +138,7 @@
   <dependency org="org.tukaani" name="xz" rev="1.9"/>
   <dependency org="com.drewnoakes" name="metadata-extractor" rev="2.16.0"/>
   <dependency org="com.adobe.xmp" name="xmpcore" rev="6.1.11"/>
+  <dependency org="org.apache.xmlgraphics" name="batik-i18n" rev="1.14"/>
+  <dependency org="org.apache.xmlgraphics" name="batik-util" rev="1.7"/>
  </dependencies>
 </ivy-module>

store/src/java-test/com/zimbra/cs/html/owasp/OwaspHtmlSanitizerTest.java

@@ -42,6 +42,7 @@
 import com.zimbra.cs.mime.ParsedMessage;
 import com.zimbra.cs.servlet.ZThreadLocal;
 import com.zimbra.cs.util.ZTestWatchman;
+import org.owasp.html.Encoding;
 
 public class OwaspHtmlSanitizerTest {
 
@@ -731,4 +732,52 @@ public void testBugZCS10594() throws Exception {
         String output = "<html><head><style>.uegzbq{font-size:22px;}@media not all and (pointer:coarse){.8bsfb:hover{background-color:#056b27;}}.scem3j{font-size:25px;}</style></head><body><div class=\"uegzbq\">First Line</div><br /><div class=\"scem3j\">Second Line</div></body></html>";
         Assert.assertTrue("Verification failed: Failed to include media queries.", output.equals(result.trim()));
     }
+
+    @Test
+    public void testBug1932_1() throws Exception {
+        String url = "https://google.com/?page=red.blue&num_ar=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932_2() throws Exception {
+        String url = "https://google.com/?page=red.blue&numero_=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932_3() throws Exception {
+        String url = "https://google.com/?page=red.blue&Integral_=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932_4() throws Exception {
+        String url = "https://google.com/?page=red.blue&CounterClockwiseContourIntegral_=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932_5() throws Exception {
+        String url = "https://google.com/?page=red.blue&num=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
+
+    @Test
+    public void testBug1932_6() throws Exception {
+        String url = "https://google.com/?page=red.blue&num*=abcd123456&orgAcronyme=abc12";
+        String html = "<a href='"+url+"'>"+url+"</a>";
+        String result = new OwaspHtmlSanitizer(html, true, null).sanitize();
+        Assert.assertTrue(Encoding.decodeHtml(result).contains(url));
+    }
 }