add missing cases

righettod · righettod · commit 0bc21df98a21 · 2026-04-12T09:10:28.000+02:00
diff --git a/src/main/java/eu/righettod/SecurityUtils.java b/src/main/java/eu/righettod/SecurityUtils.java
@@ -1605,6 +1605,8 @@ public static boolean isGZIPCompressedDataSafe(byte[] compressedBytes, long maxC
      * The following information are removed:
      * <ul>
      *     <li>Characters: Carriage Return (CR), Linefeed (LF) and Tabulation (TAB).</li>
+     *     <li>Characters: Unicode LINE SEPARATOR and Unicode PARAGRAPH SEPARATOR.</li>
+     *     <li>Characters: CSI sequences and bare ESC.</li>
      *     <li>Leading and trailing spaces.</li>
      *     <li>Any HTML tags.</li>
      * </ul><br>
@@ -1633,10 +1635,14 @@ public static String sanitizeLogMessage(String message, int maxMessageLength) {
             }
             //Step 1: Remove any CR/LR/TAB characters as well as leading and trailing spaces
             sanitized = sanitized.replaceAll("[\\n\\r\\t]", "").trim();
-            //Step 2: Remove any HTML tags
+            //Step 2: Remove any Unicode LINE SEPARATOR or Unicode PARAGRAPH SEPARATOR as well as leading and trailing spaces
+            sanitized = sanitized.replace("\u2028", "").replace("\u2029", "").trim();
+            //Step 3: Remove ANSI escape sequences as well as leading and trailing spaces
+            sanitized = sanitized.replaceAll("\u001B\\[[\\d;]*[a-zA-Z]", "").replace("\u001B", "").trim();
+            //Step 4: Remove any HTML tags
             PolicyFactory htmlSanitizerPolicy = new HtmlPolicyBuilder().toFactory();
             sanitized = htmlSanitizerPolicy.sanitize(sanitized);
-            //Step 3: Truncate the string in case of need
+            //Step 5: Truncate the string in case of need
             if (sanitized.length() > maxSanitizedMessageLength) {
                 sanitized = sanitized.substring(0, maxSanitizedMessageLength);
             }
diff --git a/src/test/java/eu/righettod/TestSecurityUtils.java b/src/test/java/eu/righettod/TestSecurityUtils.java
@@ -798,6 +798,8 @@ public void sanitizeLogMessage() {
         cases.add(new String[]{"1000", "     test<xss>msg</xss>\n1\r2\t3\t4\n5\r6\t7\t\r\n     ", "testmsg1234567"});
         cases.add(new String[]{"0", "<b>test msg</b><script>alert(1)</script>", "test msg"});
         cases.add(new String[]{"10", "AAAAAAAAAACCC<script src='https://evil.com/a.js'></script>BBBBBBBBBB", "AAAAAAAAAA"});
+        cases.add(new String[]{"100", "hello\u2028world\u2029end", "helloworldend"});
+        cases.add(new String[]{"100", "hello\u001B[31mworld\u001Bend", "helloworldend"});
         cases.forEach(caseData -> {
             int maxMessageLength = Integer.parseInt(caseData[0].trim());
             String originalMessage = caseData[1];
