We’ve released another version of AntiSamy into Maven and on the main downloads page. In terms of the actual code changes, there are just a few things – it’s more of a directional change for our engine. Here’s the changelist:
- fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
- tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (<allowed-empty-tags>), with a safe default list if none are provided
- continued to try to make SAX and DOM version semantically if not literally identical output
- added test cases to regression
- fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)
- no longer Java 1.4 compatible
The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We’ve had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.
I strongly believe that DOM-based validation is still the most safe approach because it’s a more organized, thought-to-code translation. SAX forces you to maintain some state which can be very error-prone in this problem space. But, some customers have stringent performance requirements which may preclude the use of an API that builds huge trees and throws them away quite rapidly, even if it’s only on a few code paths.
Anyway, there’s a place for both in the world, so we’ll keep the DOM engine around. You can continue to invoke it by calling AntiSamy like this:
AntiSamy as = new AntiSamy();
as.scan(badInput, policy, AntiSamy.DOM);
In the meantime, I’m inviting all you terrible sla.ckers to beat the crap out of the new smoketest: http://www.antisamysmoketest.com/. Don’t be gentle.