Merge branch 'main' into migrate_to_jupiter

Author: strangelookingnerd

RELEASE-checklist.sh

@@ -69,7 +69,7 @@ perl -i.bak \
      -pe 'if (m/^  [*] / && !$added) { $_ = qq(  * Release $ENV{"NEW_VERSION"}\n$_); $added = 1; }' \
      change_log.md
 
-$EDITOR change_log.md
+$EDITOR change_log.md SECURITY.md
 
 # A dry run.
 mvn -f pom.xml clean source:jar javadoc:jar verify \

SECURITY.md

@@ -6,7 +6,7 @@ Only the lastest version are supported with updates.
 
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 20240325.1 | :white_check_mark: |
+| 20260103.1 | :white_check_mark: |
 
 
 

docs/vulnerabilities.md

@@ -1,4 +1,5 @@
 # Known & public vulnerabilities in this project
 
+  * [CVE-2025-66021](https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2) - 25 Nov. 2025 - Recommend upgrade to v20260102.1 or later.
   * [CVE-2021-42575](cve202142575.md) - 18 Oct. 2021 - Recommend upgrade to v20211018.1 or later.
   * [CVE-2011-4457](cve20114457.md) - 17 Nov. 2011 - Recommend upgrade to r88 or later.

java10-shim/src/main/java/org/owasp/shim/ForJava9AndLater.java

@@ -62,6 +62,6 @@ final class ForJava9AndLater extends Java8Shim {
     }
 
     @Override public <T> Set<T> setCopyOf(Collection<? extends T> c) {
-        return Set.copyOf(c);
+        return Collections.unmodifiableSet(new LinkedHashSet<>(c));
     }
 }

owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlElementTables.java

@@ -109,7 +109,7 @@ public HtmlElementTables(
     LI_TAG = indexForName("li");
     SELECT_TAG = indexForName("select");
     OPTION_TAG = indexForName("option");
-    OPTGROUP_TAG = indexForName("opgroup");
+    OPTGROUP_TAG = indexForName("optgroup");
     SCRIPT_TAG = indexForName("script");
     STYLE_TAG = indexForName("style");
     TABLE_TAG = indexForName("table");

owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java

@@ -33,6 +33,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -428,7 +429,7 @@ public HtmlPolicyBuilder requireRelNofollowOnLinks() {
   public HtmlPolicyBuilder requireRelsOnLinks(String... linkValues) {
     this.invalidateCompiledState();
     if (this.extraRelsForLinks == null) {
-      this.extraRelsForLinks = new HashSet<>();
+      this.extraRelsForLinks = new LinkedHashSet<>();
     }
     for (String linkValue : linkValues) {
       linkValue = HtmlLexer.canonicalKeywordAttributeValue(linkValue);
@@ -1112,8 +1113,8 @@ static final class JoinRelsOnLinksPolicies
 
     public JoinableElementPolicy join(
         Iterable<? extends JoinableElementPolicy> toJoin) {
-      Set<String> extra = new HashSet<>();
-      Set<String> skip = new HashSet<>();
+      Set<String> extra = new LinkedHashSet<>();
+      Set<String> skip = new LinkedHashSet<>();
       for (JoinableElementPolicy ep : toJoin) {
         RelsOnLinksPolicy p = (RelsOnLinksPolicy) ep;
         extra.addAll(p.extra);

owasp-java-html-sanitizer/src/test/java/org/owasp/html/OptgroupBugTest.java

@@ -0,0 +1,27 @@
+package org.owasp.html;
+
+import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+
+public class OptgroupBugTest {
+    
+    /**
+     * Test that optgroup elements inside select are not corrupted with extra select tags.
+     * 
+     * Before fix: <select><optgroup><select><option></option></select></optgroup></select>
+     * After fix:  <select><optgroup><option></option></optgroup></select>
+     */
+    @Test
+    public void testOptgroupInsideSelectDoesNotAddExtraSelectTags() {
+        PolicyFactory factory = new HtmlPolicyBuilder()
+            .allowElements("select", "optgroup", "option")
+            .allowAttributes("label").globally()
+            .toFactory();
+        
+        String input = "<select><optgroup label=\"mygroup\"><option>My option</option></optgroup></select>";
+        String result = factory.sanitize(input);
+        
+        // The key assertion: no extra select tags should be inserted
+        assertEquals(input, result);
+    }
+}

owasp-java-html-sanitizer/src/test/java/org/owasp/html/SanitizersTest.java

@@ -251,6 +251,30 @@ void testLinks() {
         s.sanitize("<a name=\"header\" id=\"header\">Header text</a>"));
   }
 
+  @Test
+  void testLinksRelAttributeAdditionsOrder() {
+    // Issue 336.
+    PolicyFactory pf = Sanitizers.LINKS.and(
+            new HtmlPolicyBuilder()
+            .allowElements("a")
+            .requireRelsOnLinks("noopener", "noreferrer")
+            .toFactory());
+
+    assertEquals(
+            "<a href=\"foo.html\" rel=\"nofollow noopener noreferrer\">Link text</a>",
+            pf.sanitize("<a href=\"foo.html\">Link text</a>"));
+
+    pf = Sanitizers.LINKS.and(
+            new HtmlPolicyBuilder()
+                    .allowElements("a")
+                    .requireRelsOnLinks("noreferrer", "noopener")
+                    .toFactory());
+
+    assertEquals(
+            "<a href=\"foo.html\" rel=\"nofollow noreferrer noopener\">Link text</a>",
+            pf.sanitize("<a href=\"foo.html\">Link text</a>"));
+  }
+
   @Test
   void testExplicitlyAllowedProtocolsAreCaseInsensitive() {
     // Issue 24.
@@ -552,7 +576,7 @@ void testStyleGlobally() {
     String want = "<h1 style=\"color:green\">This is some green text</h1>";
     assertEquals(want, policyBuilder.sanitize(input));
   }
-  
+
   static int fac(int n) {
     int ifac = 1;
     for (int i = 1; i <= n; ++i) {