nahsra/antisamy
### [`v1.7.1`](https://togithub.com/nahsra/antisamy/releases/tag/v1.7.1)
[Compare Source](https://togithub.com/nahsra/antisamy/compare/v1.7.0...v1.7.1)
This release addresses the following issues:
1. Documentation Improvements: Clarifying that relying on getErrorMessages() or getNumberOfErrors() is UNSAFE.
There has been much confusion about the `getErrorMessages()` method. The `getErrorMessages()` method (nor `getNumberOfErrors()`) does not subtly answer the question "is this safe input?" in the affirmative if it returns an empty list. You must always use the sanitized input and there is no way to be sure the input passed in had no attacks.
We had already added a note about this in the README for AntiSamy 1.7.0, but we have now added similar information to the Javadoc for all the related methods. That way if a developer is reading the Javadoc, they are more likely to notice that these methods are purely informational, and CANNOT be relied on for security. Only CleanResults.getCleanHTML() can be relied on to provide safe/clean HTML to send back to the user's browser.
2. Announcing plan to deprecate support for external stylesheets
The AntiSamy team has decided that supporting the ability to allow embedded remote CSS is dangerous and so we are deprecating this feature and it will be removed in a future release. It is expected that there are very few, if any, users of this feature.
We have added a log WARNing if this feature is invoked. If you are using this API, please disable/remove this feature by switching to the primary CssScanner() constructor that does not enable this feature, or dropping direct use of this constructor because, by default, this feature it not enabled.
3. Minor Bug [#200](https://togithub.com/nahsra/antisamy/issues/200): AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering
This issue was fixed in this release. See the issue ticket for more details.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.7.0->1.7.1Release Notes
nahsra/antisamy
### [`v1.7.1`](https://togithub.com/nahsra/antisamy/releases/tag/v1.7.1) [Compare Source](https://togithub.com/nahsra/antisamy/compare/v1.7.0...v1.7.1) This release addresses the following issues: 1. Documentation Improvements: Clarifying that relying on getErrorMessages() or getNumberOfErrors() is UNSAFE. There has been much confusion about the `getErrorMessages()` method. The `getErrorMessages()` method (nor `getNumberOfErrors()`) does not subtly answer the question "is this safe input?" in the affirmative if it returns an empty list. You must always use the sanitized input and there is no way to be sure the input passed in had no attacks. We had already added a note about this in the README for AntiSamy 1.7.0, but we have now added similar information to the Javadoc for all the related methods. That way if a developer is reading the Javadoc, they are more likely to notice that these methods are purely informational, and CANNOT be relied on for security. Only CleanResults.getCleanHTML() can be relied on to provide safe/clean HTML to send back to the user's browser. 2. Announcing plan to deprecate support for external stylesheets The AntiSamy team has decided that supporting the ability to allow embedded remote CSS is dangerous and so we are deprecating this feature and it will be removed in a future release. It is expected that there are very few, if any, users of this feature. We have added a log WARNing if this feature is invoked. If you are using this API, please disable/remove this feature by switching to the primary CssScanner() constructor that does not enable this feature, or dropping direct use of this constructor because, by default, this feature it not enabled. 3. Minor Bug [#200](https://togithub.com/nahsra/antisamy/issues/200): AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering This issue was fixed in this release. See the issue ticket for more details.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.