Go download!

The changes:

  • Fixed empty element “bug” (a <b/> causes the rest of the page to be bold cross-browser, wtf? more on this later)
  • Fixed some bugs handling CSS colors, fonts and margins (negative margins not allowed and colors are now c14nized – thx to Jason Li and designbistro)
  • Added a usable pom.xml (thx to fernman)
  • Fixed a bunch of CSS policy file functional problems (thx to Jerry Hoff who is also working hard getting the .NET version to 1.0)
  • Added demo WAR to the downloads
  • Numerous other little bug fixes

The test cases all pass except one. The only one that fails is the one that is actually a problem with NekoHTML, the HTML parsing engine on top of which AntiSamy sits. As you can see here I provided him a working patch, test case, and justification. I’ve been watching their source tree closely and I don’t see any movement on this particular issue. However, as a group we decided to just live with it until they fix and no longer try to maintain a forked version of their library. I trust that they’ll eventually fix it, and you can still use my patch to fix your own version if that’s unacceptable.

Here’s what’s on the roadmap for 1.4:

  • full Maven support
  • SAX parser (should increase speed by ~50%)
  • programmatic access to the Policy object with guaranteed thread safety

As always, if you have issues, questions, or feedback drop us a line on the Google Code issue tracker or OWASP AntiSamy mailing list.

Thanks to all the people who submitted issues, patches and feedback. You guys are awesome.