added support for style sanitization testing

jmanico · jmanico · commit 612436cf38a8 · 2016-07-17T09:59:40.000-10:00
Also bumped version to latest in maven
diff --git a/JavaHTMLSanitizer/app/WebContent/index.jsp b/JavaHTMLSanitizer/app/WebContent/index.jsp
@@ -11,11 +11,13 @@
 		<form action="SanitizeServlet" method="POST">			
 			<b>Please enter some HTML and try to XSS the server-side sanitizer!</b><br/><br/>
 			The current server-side policy allows the following tags ("a", "p", "div", "i", "b", "em",<br/>
-			"blockquote", "tt", "strong", "br", "ul", "ol", "li") and only certain attributes.<br/><br/> Good luck!<br/><br/>
+			"blockquote", "tt", "strong", "br", "ul", "ol", "li") and only certain attributes.<br/>
+			We have also enabled "allowStyling" so you can test against our new CSS sanitization.<br/>
+            Good luck!<br/><br/>
 			<textarea rows="10" cols="80" name="usercontent"></textarea><br/>
 			<input type="submit" value="submit">						
 		</form>	
-		<br/>
+		<hr/>
 		<h1>OWASP Java Encoder Test</h1>
 		<form action="EncodeServlet" method="POST">
 		&lt;!DOCTYPE html&gt;<br/>
diff --git a/JavaHTMLSanitizer/app/pom.xml b/JavaHTMLSanitizer/app/pom.xml
@@ -2,7 +2,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>OWASPBugBounty</groupId>
 	<artifactId>OWASPBugBounty</artifactId>
-	<version>0.0.1-SNAPSHOT</version>
+	<version>0.1.1-SNAPSHOT</version>
 	<packaging>war</packaging>
 	<build>
 		<sourceDirectory>src</sourceDirectory>
@@ -35,7 +35,7 @@
 		<dependency>
 			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
 			<artifactId>owasp-java-html-sanitizer</artifactId>
-			<version>20160413.1</version>
+			<version>20160628.1</version>
 		</dependency>
 		<dependency>
    			<groupId>org.owasp.encoder</groupId>
diff --git a/JavaHTMLSanitizer/app/src/SanitizeAction.java b/JavaHTMLSanitizer/app/src/SanitizeAction.java
@@ -49,6 +49,8 @@ protected void doPost(HttpServletRequest request,
           // Custom slashdot tags.
           // These could be rewritten in the sanitizer using an ElementPolicy.
           .allowElements("quote", "ecode")
+          // Allows for tests against new CSS sanitization
+          .allowStyling()
           .toFactory();
 
     //accepting user content and converting nulls to empty strings
