Fix #363: CVE-2025-66021 #364
Conversation
melloware
force-pushed
the
O363-CVE
branch
4 times, most recently
from
1fba743 to
e3d1cc0
Compare
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerFuzzerTest.java
Outdated
Show resolved
Hide resolved
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlLexerTest.java
Show resolved
Hide resolved
melloware
force-pushed
the
O363-CVE
branch
2 times, most recently
from
0fb0b33 to
0e63daf
Compare
|
cc @ironfisto |
|
@mikesamuel can you approve workflow and review this PR? |
|
Rebased! |
kittylyst
left a comment
kittylyst
left a comment
There was a problem hiding this comment.
I've reviewed this as best I can without having full context on the project, and I concur that getting this out there sooner rather than later is better.
I'm +1 to merge and release.
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java
Show resolved
Hide resolved
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java
Show resolved
Hide resolved
damianszczepanik
left a comment
damianszczepanik
left a comment
There was a problem hiding this comment.
Repository owner has to agree to start building this PR
|
Approve the builds to run - let's see what happens |
|
Looks like it all passed and built! |
|
sorry for being annoing with @ but is there any info about the progress of this? looks like we are waiting for @jmanico and @erikcostlow review but as i understand from here #363 that they no longer maintain this project and now its on @aalmiray to release this? |
|
I'm the one that has upgraded the build for posting releases, yes. But I do not posses the domain knowledge required to asses if code patches are suitable for fixes, specially for a CVE. Which is why I'm waiting for someone else to clear that out. |
|
That's perfectly reasonable and that someone else would be one of the guys I mentioned in my previous comment? |
|
I have taken this PR as far as it can go. Unit tests proving the issue, then iterating and fixing the code until the broken unit tests pass. Introduced new unit tests when scenario;s like |
|
Thanks to everyone who has contributed to this PR. As the new maintainers are still levelling up, and are operating at best efforts, then I think we're as sure as we can be. I propose we give it 24 hours and if no-one complains, then @aalmiray should do a release. Any objections to that plan? |
|
NYE's gift? 😅 The first release under the new scheme is good to go, although I think further updates may be needed as the project's version does not follow semver, a manual step is needed for now. This being said, JReleaser supports other versioning options. These updates can be applied later. |
|
+1 on this idea! |
Yes that is fair. I think this is a good plan if the rest of the team supports it. |
|
At the very least I merged the PR into main. I'll leave it to others to decide on when to release. |
9 participants
Fix #363: CVE-2025-66021
allowTextInto make sure it allows only tags allowed< script>is the same as<script>