Skip to content

Fix #363: CVE-2025-66021 #364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
melloware wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix #363: CVE-2025-66021 #364

melloware wants to merge 1 commit into from
+262 −10

Conversation

@melloware
Copy link

@melloware melloware commented Dec 8, 2025
edited
Loading

Fix #363: CVE-2025-66021

  • 4 unit tests that failed before the fix now pass
  • All existing unit tests pass (had to make some Windows fixes)
  • New code checks any element with allowTextIn to make sure it allows only tags allowed

@melloware melloware mentioned this pull request Dec 8, 2025
Open
@melloware melloware force-pushed the O363-CVE branch 4 times, most recently from 1fba743 to e3d1cc0 Compare December 8, 2025 20:54
@melloware melloware marked this pull request as ready for review December 8, 2025 20:54
melloware
melloware commented Dec 8, 2025
View reviewed changes
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerFuzzerTest.java
StandardCharsets.UTF_8)).lines().collect(Collectors.joining());
String html = new String(Files.readAllBytes(
Paths.get(getClass().getResource("/benchmark-data/Yahoo!.html").toURI())),
StandardCharsets.UTF_8);
Copy link
Author

@melloware melloware Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests were failing on Windows

melloware
melloware commented Dec 8, 2025
View reviewed changes
owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlLexerTest.java
// Do the lexing.
String input = new String(Files.readAllBytes(Paths.get(getClass().getResource("htmllexerinput1.html").toURI())), StandardCharsets.UTF_8);
// Normalize line endings in input to handle Windows/Unix differences
input = input.replace("\r\n", "\n").replace("\r", "\n");
Copy link
Author

@melloware melloware Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests were failing on Windows

@melloware melloware force-pushed the O363-CVE branch 2 times, most recently from 0fb0b33 to 0e63daf Compare December 8, 2025 21:08
@melloware melloware mentioned this pull request Dec 8, 2025
Open
@melloware
Copy link
Author

melloware commented Dec 9, 2025

cc @ironfisto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerabilities: CVE-2025-66021

1 participant

@melloware