Release 20260102.1

Changelog

• 2783897 Release version 20260102.1 (GitHub Actions)
• f40152f Update release configuration (Andres Almiray)
• c159aac fixes examples broken link (Sergio del Amo)
• dea5672 Fix #369: Ensure owasp-java-html-sanitizer targets Java 8 (Andres Almiray)
• 66b55e0 Configure release announcements (Andres Almiray)
• 113405d Prepare for next development version (GitHub Actions)

Contributors

We'd like to thank the following people for their contributions:

• Andres Almiray (@aalmiray)
• Sergio del Amo (@sdelamo)

Release 20260101.1

Changelog

• dd3219a Release version 20260101.1 (GitHub Actions)
• 50258b9 Update release configuration (Andres Almiray)
• 4149cf0 Fix #363: CVE-2025-66021 (melloware)
• b98cdf1 Fix #363: CVE-2025-66021 (melloware)
• 17e5950 Fix resource loading in HtmlSanitizerFuzzerTest (José Pintado)
• cd23da8 Release configuration must define custom tag format (Andres Almiray)
• d978432 Update POMs with explicit URL (Andres Almiray)
• 2e32163 Add release workflow (Andres Almiray)
• 9ba6a8f Update GH workflows (Andres Almiray)
• a5c8e7b Update Maven configuration (Andres Almiray)
• df4a4a1 Update .gitignore list (Andres Almiray)
• 581ef65 Add Maven wrapper (Andres Almiray)
• d6e0463 Fix #363: CVE-2025-66021 (melloware)
• 4308989 Update SECURITY.md (Mike Samuel)
• d33151b Get rid of defunct html-types and fix copy/paste error in empiricism/pom.xml (Mike Samuel)
• fbfe3cc empiricism: remove uses of Guava (Mike Samuel)
• 6d55158 RELEASE-checklist: update with changes to module arrangement (Mike Samuel)
• dd92edf Bumped dev version (Mike Samuel)

Contributors

We'd like to thank the following people for their contributions:

• Andres Almiray (@aalmiray)
• José Pintado
• Mike Samuel (@mikesamuel)
• melloware (@melloware)

Release 20240325.1

• Remove dependency on Guava
• Raise minimum supported JVM release to 8
• HTML: Avoid duplicate link rel values.
• HTML: Recognize foreign content syntactic context: mathml / svg.
• CSS: Better support for font-size, overflow-wrap, word-break.
• CSS: Better child combinator parsing.
• Bug: Fixed out of bounds when mixing global style attribute with others.
• Special thanks to (in lexicographic order):
  Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk

Release 20220608.1

Release 20220608.1

• Fix bugs in CSS tokenization
• Fix deocding of HTML character references that lack semicolons
  like &para in HTML attribute values that affected
  URL query parameters.

v20211018.2

Changes how we avoid problems with special tags inside <select> elements. Instead of complicating the rendering of <style> elements in all cases, now we just close special elements when they are embedded in <select> elements so no text under a <select> is interpreted as anything other than PCDATA.

This is a follow on to https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit#heading=h.ff1sdefzjxrx and we recommend using it over v20211018.1.

20211018.1

This release fixes a vulnerability as tracked by CVE-2021-42575

See https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit# for details.

For a full list of known vulnerabilities see https://github.com/OWASP/java-html-sanitizer/blob/main/docs/vulnerabilities.md

20200713.1

Improves SVG and MathML support.
Now policies don't lower-case element and attribute names that are defined in either the SVG or MathML schemas.

Be aware that SVG's <textArea> is now distinct from HTML's <textarea>.

20190610.1

• Recognize HTML entity names added in the last few years. Now &name; will work consistently.

19 Feb 2018

• Strip ZWNJ from MacOS and iOS crashing text sequences