From dd8c6a460a03f58edff211e8dc3633eac8138419 Mon Sep 17 00:00:00 2001
From: Mike Samuel <mikesamuel@gmail.com>
Date: Mon, 25 Mar 2024 10:08:40 -0600
Subject: [PATCH] Release candidate 20240325.1

---
 README.md                                            | 10 +++++-----
 aggregate/pom.xml                                    |  4 ++--
 change_log.md                                        | 10 ++++++++++
 docs/getting_started.md                              | 10 +++++-----
 docs/maven.md                                        |  2 +-
 empiricism/pom.xml                                   |  4 ++--
 html-types/pom.xml                                   |  4 ++--
 java10-shim/pom.xml                                  | 11 +++++++++--
 java10-shim/src/main/java/org/owasp/shim/Notice.java |  8 ++++++++
 java8-shim/pom.xml                                   |  2 +-
 owasp-java-html-sanitizer/pom.xml                    |  2 +-
 pom.xml                                              |  2 +-
 12 files changed, 47 insertions(+), 22 deletions(-)
 create mode 100644 java10-shim/src/main/java/org/owasp/shim/Notice.java

diff --git a/README.md b/README.md
index 3d4a21d8..96f26527 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ how to get started with or without Maven.
 ## Prepackaged Policies
 
 You can use
-[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html):
+[prepackaged policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html):
 
 ```Java
 PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
@@ -47,7 +47,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
 The
 [tests](https://github.com/OWASP/java-html-sanitizer/blob/main/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java)
 show how to configure your own
-[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html):
+[policy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html):
 
 ```Java
 PolicyFactory policy = new HtmlPolicyBuilder()
@@ -62,7 +62,7 @@ String safeHTML = policy.sanitize(untrustedHTML);
 ## Custom Policies
 
 You can write
-[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/ElementPolicy.html)
+[custom policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/ElementPolicy.html)
 to do things like changing `h1`s to `div`s with a certain class:
 
 ```Java
@@ -85,7 +85,7 @@ need to be explicitly whitelisted using the `allowWithoutAttributes()`
 method if you want them to be allowed through the filter when these
 elements do not include any attributes.
 
-[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) allow running custom code too.  Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
+[Attribute policies](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) allow running custom code too.  Adding an attribute policy will not water down any default policy like `style` or URL attribute checks.
 
 ```Java
 new HtmlPolicyBuilder = new HtmlPolicyBuilder()
@@ -153,7 +153,7 @@ of the output.
 
 ## Telemetry
 
-When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlChangeListener.html).
+When a policy rejects an element or attribute it notifies an [HtmlChangeListener](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlChangeListener.html).
 
 You can use this to keep track of policy violation trends and find out when someone
 is making an effort to breach your security.
diff --git a/aggregate/pom.xml b/aggregate/pom.xml
index 7b1f5bab..9e1e3f7a 100644
--- a/aggregate/pom.xml
+++ b/aggregate/pom.xml
@@ -3,12 +3,12 @@
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>aggregate</artifactId>
   <packaging>pom</packaging>
-  <version>20220608.2-SNAPSHOT</version>
+  <version>20240325.1</version>
   <parent>
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <modules>
diff --git a/change_log.md b/change_log.md
index 04324a49..8768a95c 100644
--- a/change_log.md
+++ b/change_log.md
@@ -1,6 +1,16 @@
 # OWASP Java HTML Sanitizer Change Log
 
 Most recent at top.
+  * Release 20240325.1
+    * Remove dependency on Guava
+    * Raise minimum supported JVM release to 8
+    * HTML: Avoid duplicate link `rel` values.
+    * HTML: Recognize foreign content syntactic context: `mathml` / `svg`.
+    * CSS: Better support for `font-size`, `overflow-wrap`, `word-break`.
+    * CSS: Better child combinator parsing.
+    * Bug: Fixed out of bounds when mixing global style attribute with others.
+    * Special thanks to (in lexicographic order):
+      Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk
   * Release 20220608.1
     * Fix bugs in CSS tokenization
     * Fix deocding of HTML character references that lack semicolons
diff --git a/docs/getting_started.md b/docs/getting_started.md
index fdb5addf..131bee2a 100644
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -29,16 +29,16 @@ it to HTML.
 The
 [javadoc](http://javadoc.io/doc/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/)
 covers more detailed topics, including
-[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html).
+[customization](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html).
 
 Important classes are:
 
-  * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
-  * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.
+  * [Sanitizers](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/Sanitizers.html) contains combinable pre-packaged policies.
+  * [HtmlPolicyBuilder](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlPolicyBuilder.html) lets you easily build custom policies.
 
 For advanced use, see:
-  * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
-  * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.
+  * [AttributePolicy](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/AttributePolicy.html) and [ElementPolicy](http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20180219.1/org/owasp/html/ElementPolicy.html) allow complex customization.
+  * [HtmlStreamEventReceiver](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/org/owasp/html/HtmlStreamEventReceiver.html) if you don't just want a `String` as output.
 
 ## Asking Questions
 
diff --git a/docs/maven.md b/docs/maven.md
index c24a0464..afc82bb6 100644
--- a/docs/maven.md
+++ b/docs/maven.md
@@ -23,7 +23,7 @@ Bigger numbers are more recent and the [change log](../change_log.md)
 can shed light on the salient differences.
 
 You should be able to build with the HTML sanitizer.  You can read the
-[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/index.html),
+[javadoc](https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20240325.1/index.html),
 and if you have questions that aren't answered by these wiki pages,
 you can ask on the
 [mailing list](http://groups.google.com/group/owasp-java-html-sanitizer-support).
diff --git a/empiricism/pom.xml b/empiricism/pom.xml
index 0679df4b..981a0fbd 100644
--- a/empiricism/pom.xml
+++ b/empiricism/pom.xml
@@ -2,13 +2,13 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>html-types</artifactId>
-  <version>20220608.2-SNAPSHOT</version>
+  <version>20240325.1</version>
   <packaging>jar</packaging>
   <parent>
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <name>empiricism</name>
diff --git a/html-types/pom.xml b/html-types/pom.xml
index c3fdcc79..234c8d73 100644
--- a/html-types/pom.xml
+++ b/html-types/pom.xml
@@ -2,13 +2,13 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>html-types</artifactId>
-  <version>20220608.2-SNAPSHOT</version>
+  <version>20240325.1</version>
   <packaging>bundle</packaging>
   <parent>
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <name>OWASP Java HTML Sanitizer Safe HTML Compatibility</name>
diff --git a/java10-shim/pom.xml b/java10-shim/pom.xml
index 21b96c35..2e0d8d38 100644
--- a/java10-shim/pom.xml
+++ b/java10-shim/pom.xml
@@ -6,13 +6,13 @@
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <name>Java 10 Shim</name>
   <description>
     Provides an implementation of java8-shim that interoperates with
-    Java >= 10 idioms for immutable collections.
+    Java &gt;= 10 idioms for immutable collections.
   </description>
 
   <build>
@@ -24,6 +24,13 @@
           <release>10</release>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-release-plugin</artifactId>
+        <configuration>
+          <arguments>-Dmaven.javadoc.skip=true</arguments> <!-- No public classes -->
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 
diff --git a/java10-shim/src/main/java/org/owasp/shim/Notice.java b/java10-shim/src/main/java/org/owasp/shim/Notice.java
new file mode 100644
index 00000000..871cbede
--- /dev/null
+++ b/java10-shim/src/main/java/org/owasp/shim/Notice.java
@@ -0,0 +1,8 @@
+package org.owasp.shim;
+
+/**
+ * This bundle has no useful public classes as it serves only to provide an
+ * implementation class loaded reflectively.  See Java8Shim for details.
+ */
+public class Notice {
+}
diff --git a/java8-shim/pom.xml b/java8-shim/pom.xml
index c414253b..ab0e3f30 100644
--- a/java8-shim/pom.xml
+++ b/java8-shim/pom.xml
@@ -6,7 +6,7 @@
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <name>Java 8 Shim</name>
diff --git a/owasp-java-html-sanitizer/pom.xml b/owasp-java-html-sanitizer/pom.xml
index 9b9dd8b2..3c9bdf5f 100644
--- a/owasp-java-html-sanitizer/pom.xml
+++ b/owasp-java-html-sanitizer/pom.xml
@@ -6,7 +6,7 @@
     <relativePath>..</relativePath>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>parent</artifactId>
-    <version>20220608.2-SNAPSHOT</version>
+    <version>20240325.1</version>
   </parent>
 
   <name>OWASP Java HTML Sanitizer</name>
diff --git a/pom.xml b/pom.xml
index 94bce32c..057850df 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
   <artifactId>parent</artifactId>
-  <version>20220608.2-SNAPSHOT</version>
+  <version>20240325.1</version>
 
   <packaging>pom</packaging>