diff --git a/README.md b/README.md
index 3b36e3eb..200f66df 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,9 @@ we recognize that it might not be possible for developers to fix their AntiSamy
2) Change the code using AntiSamy to invoke: Policy.setSchemaValidation(false) before loading the AntiSamy policy. This is a static call so once disabled, it is disabled for all new Policy instances.
-To encourage AntiSamy users to only use XSD compliant policies, AntiSamy will always issue some type of warning when schema validation is disabled. It will either WARN that the policy is non-compliant so it can be fixed, or it will WARN that the policy is compliant, but schema validation is OFF, so validation should be turned back on (i.e., stop disabling it).
+To encourage AntiSamy users to only use XSD compliant policies, AntiSamy will always log some type of warning when schema validation is disabled. It will either WARN that the policy is non-compliant so it can be fixed, or it will WARN that the policy is compliant, but schema validation is OFF, so validation should be turned back on (i.e., stop disabling it). We also added INFO level logging when AntiSamy schema's are loaded and validated.
+
+### Logging: The logging introduced in 1.6.0 accidentally used log4j, while declaring slf4 as the logging API. This was quickly fixed in 1.6.1 to use slf4j APIs only. AntiSamy now includes the slf4j-simple library for its logging, but AntiSamy users can import and use an alternate slf4j compatible logging library if they prefer. They can also then exclude slf4j-simple if they want to.
### 3. Tailoring the policy file
You may want to deploy AntiSamy in a default configuration, but it’s equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.
diff --git a/pom.xml b/pom.xml
index 4afb802a..1b9f401f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
org.owasp.antisamy
antisamy
jar
- 1.6.0
+ 1.6.1
ossrh
@@ -42,8 +42,9 @@
UTF-8
- 2021-05-03T17:04:00Z
+ 2021-09-03T03:15:00Z
true
+ 1.7.30
4.2.0
4.2.2
@@ -80,26 +81,22 @@
httpclient
4.5.13
-
+
commons-codec
commons-codec
-
-
-
- org.apache.logging.log4j
- log4j-slf4j-impl
-
- 2.12.1
-
-
- org.slf4j
- slf4j-api
+ org.apache.httpcomponents
+ httpcore
+
+ org.apache.httpcomponents
+ httpcore
+ 4.4.14
+
org.apache.xmlgraphics
batik-css
@@ -115,7 +112,12 @@
org.slf4j
slf4j-api
- 1.7.30
+ ${version.slf4j}
+
+
+ org.slf4j
+ slf4j-simple
+ ${version.slf4j}
@@ -130,6 +132,11 @@
1.4.01
+
+ xml-apis
+ xml-apis-ext
+ 1.3.04
+
@@ -138,12 +145,6 @@
${version.spotbugs}
true
-
- net.jcip
- jcip-annotations
- 1.0
- true
-
@@ -152,6 +153,12 @@
4.13.2
test
+
+ org.hamcrest
+ hamcrest-core
+ 1.3
+ test
+
diff --git a/src/main/java/org/owasp/validator/html/Policy.java b/src/main/java/org/owasp/validator/html/Policy.java
index 02916780..c59c19c9 100644
--- a/src/main/java/org/owasp/validator/html/Policy.java
+++ b/src/main/java/org/owasp/validator/html/Policy.java
@@ -52,9 +52,6 @@
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
-import org.apache.logging.log4j.Logger;
-import org.apache.logging.log4j.LogManager;
-
import org.owasp.validator.html.model.AntiSamyPattern;
import org.owasp.validator.html.model.Attribute;
import org.owasp.validator.html.model.Property;
@@ -62,6 +59,8 @@
import org.owasp.validator.html.scan.Constants;
import org.owasp.validator.html.util.URIUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
@@ -80,7 +79,7 @@
public class Policy {
- private static final Logger logger = LogManager.getLogger(Policy.class);
+ private static final Logger logger = LoggerFactory.getLogger(Policy.class);
public static final Pattern ANYTHING_REGEXP = Pattern.compile(".*", Pattern.DOTALL);
@@ -229,7 +228,7 @@ public static Policy getInstance(String filename) throws PolicyException {
* @throws PolicyException If there is a problem parsing the input stream.
*/
public static Policy getInstance(InputStream inputStream) throws PolicyException {
- final String logMsg = "Attempting to load policy from an input stream.";
+ final String logMsg = "Attempting to load AntiSamy policy from an input stream.";
// If schema validation is disabled, we elevate this msg to the warn level to match the
// level of the mandatory warning that will follow. We do the same below.
if (validateSchema) logger.info(logMsg); else logger.warn(logMsg);
@@ -263,7 +262,7 @@ public static Policy getInstance(File file) throws PolicyException {
* @throws PolicyException If the file is not found or there is a problem parsing the file.
*/
public static Policy getInstance(URL url) throws PolicyException {
- String logMsg = "Attempting to load policy from URL: " + url.toString();
+ String logMsg = "Attempting to load AntiSamy policy from URL: " + url.toString();
if (validateSchema) logger.info(logMsg); else logger.warn(logMsg);
return new InternalPolicy(url, getParseContext(getTopLevelElement(url), url));
}
@@ -374,7 +373,7 @@ protected static Element getTopLevelElement(InputSource source, Callable
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/src/test/resources/log4j2.xml b/src/test/resources/log4j2.xml
deleted file mode 100644
index 4ea96fb2..00000000
--- a/src/test/resources/log4j2.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-