Release 20240325.1

• Remove dependency on Guava
• Raise minimum supported JVM release to 8
• HTML: Avoid duplicate link rel values.
• HTML: Recognize foreign content syntactic context: mathml / svg.
• CSS: Better support for font-size, overflow-wrap, word-break.
• CSS: Better child combinator parsing.
• Bug: Fixed out of bounds when mixing global style attribute with others.
• Special thanks to (in lexicographic order):
  Claudio Weiler, Josh England, Prakhar Maurya, Sven Strickroth, subbudvk

Release 20220608.1

Release 20220608.1

• Fix bugs in CSS tokenization
• Fix deocding of HTML character references that lack semicolons
  like &para in HTML attribute values that affected
  URL query parameters.

v20211018.2

Changes how we avoid problems with special tags inside <select> elements. Instead of complicating the rendering of <style> elements in all cases, now we just close special elements when they are embedded in <select> elements so no text under a <select> is interpreted as anything other than PCDATA.

This is a follow on to https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit#heading=h.ff1sdefzjxrx and we recommend using it over v20211018.1.

20211018.1

This release fixes a vulnerability as tracked by CVE-2021-42575

See https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit# for details.

For a full list of known vulnerabilities see https://github.com/OWASP/java-html-sanitizer/blob/main/docs/vulnerabilities.md

20200713.1

Improves SVG and MathML support.
Now policies don't lower-case element and attribute names that are defined in either the SVG or MathML schemas.

Be aware that SVG's <textArea> is now distinct from HTML's <textarea>.

20190610.1

• Recognize HTML entity names added in the last few years. Now &name; will work consistently.

19 Feb 2018

• Strip ZWNJ from MacOS and iOS crashing text sequences