Sanitized output for same tainted input differs from AntiSamy 1.7.3 to 1.7.4

[kwwall]

The release notes do not indicate that the sanitized output may different for AntiSamy between release 1.7.3 and 1.7.4, but here are 3 examples taken from ESAPI that show this is the case. Note that I have only tried this using the AntiSamy.DOM parser (which is what ESAPI uses). YMMV with AntiSamy.SAX parser.

See PR #388 for details.

My expectations here is that you update your 1.7.4 release notes and possibly mention this in your README.md file as it can potentially break people's regression tests against AntiSamy.

[kwwall]

Incidentally, using SAX parser gives the same failed test results, but TBH, I'm not sure that is a fair test because I've never ran this test using the AntiSamy.SAX parser before so I don't know what the previous results with it were.

[spassarop]

I reviewed this and it looks like the HTML parser now handles differently when certain tags end or begin at the start but don't have a corresponding closing or opening tag.

Fortunately, it didn't end in a security bug so far. I guess the best would be what you suggest and add that extending note. As our checks may be more flexible to changes (we tend to look for bad stuff not appearing rather than comparing exact outputs) this did not arise on our tests. Thanks Kevin.

[davewichers]

@spassarop - Can you update something to address this? The README or whatever?

[spassarop]

I did already. It is in the readme at the end of the breaking changes notice. El jue, 11 ene 2024 a las 18:15, Dave Wichers ***@***.***>) escribió:

…

@spassarop <https://github.com/spassarop> - Can you update something to address this? The README or whatever? — Reply to this email directly, view it on GitHub <#389 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHL3BMJMEVLRCNPTOQ32ISDYOBI5VAVCNFSM6AAAAAA7G3DGK2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBXHE3TGMJRGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[davewichers]

OK. Closing this as this update will go out in release 1.7.5

[kwwall]

Finally getting caught up on this. This was mostly an FYI anyhow and I was only mentioning it in case anyone had similar regression tests that are now failing, I just figured it we ought to let them know, so a comment in the README will address that. It still sanitizes safely and that's all that really should matter. Hence I agree this should be closed.