ZBUG-3640 - fix for OWASP Sanitizer blocking message from displaying in webmail.

Author: sumitkumar1110

src/main/java/org/owasp/html/ExtensibleHtmlStreamRenderer.java

@@ -388,7 +388,7 @@ protected static int checkHtmlCdataCloseable(String localName, StringBuilder sb)
                 }
                 break;
             case '>':
-                if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 2) == '-') {
+                if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 1) == '-') {
                     if (innerStart < 0) {
                         return i - 2;
                     }

src/main/java/org/owasp/html/HtmlStreamRenderer.java

@@ -341,7 +341,7 @@ private static int checkHtmlCdataCloseable(
           }
           break;
         case '>':
-          if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 2) == '-') {
+          if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 1) == '-') {
             if (innerStart < 0) { return i - 2; }
             // Merged start and end like <!--->
             if (innerStart + 6 > i) { return innerStart; }

src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java

@@ -994,6 +994,43 @@ public static final void testTextareaIsNotTextArea() {
     assertEquals("x<textArea>y</textArea>", textAreaPolicy.sanitize(input));
   }
 
+  // Testing CSS Child Combinator between two selector  with case ".hdg-1>._inner"
+  @Test
+  public static final void testCSSChildCombinator() {
+    HtmlPolicyBuilder builder = new HtmlPolicyBuilder();
+
+    PolicyFactory factory = builder.allowElements("span","style","h1").allowTextIn("style","h1")
+            .allowAttributes("type").onElements("style").allowStyling()
+            .toFactory();
+
+
+    String toSanitize = "<style type=\"text/css\">\n"
+            + "<!--\n"
+            + ".hdg-1 {\n"
+            + "width:100%;\n"
+            + "}\n"
+            + "\n"
+            + ".hdg-1>._inner {\n"
+            + "background-color: #999;\n"
+            + "}\n"
+            + "-->\n"
+            + "</style>\n"
+            + "<h1>Test</h1>\n"
+            + "\n"
+            + "<style>\n"
+            + "<!--\n"
+            + ".hdg-1 {\n"
+            + "width:100%;\n"
+            + "}\n"
+            + "\n"
+            + ".hdg-1>._inner {\n"
+            + "background-color: #666;\n"
+            + "}\n"
+            + "-->\n"
+            + "</style>";
+    assertEquals(toSanitize, factory.sanitize(toSanitize));
+  }
+
   private static String apply(HtmlPolicyBuilder b) {
     return apply(b, EXAMPLE);
   }