… missing or emtpy attributes

+Removed AutoCloseableHtmlStreamRenderer for Java SE 6 compatibility

…ttributes or elements that do NOT match a pattern

OWASP#206)

* Do not lcase element or attribute names that match SVG or MathML names exactly

> Currently all names are converted to lowercase which is ok when
> you're using it for HTML only, but if there is an SVG image nested
> inside the HTML it breaks.  For example, when `viewBox` attribute is
> converted to `viewbox` the image is not displayed correctly.

This commit splits *HtmlLexer*.*canonicalName* into variants which preserve
items on whitelists derived from the SVG and MathML specifications, and
adjusts callers of *canonicalName* to use the appropriate variant.

Fixes OWASP#182

* add unittests for mixed-case SVG names

Bumps [junit](https://github.com/junit-team/junit4) from 4.12 to 4.13.1.
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.12.md)
- [Commits](junit-team/junit4@r4.12...r4.13.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* allowAtributes("style")

* Global style test

This may still be overridden with `-Dguava-version=...`.

This addresses a vulnerability where policies that allow `<style>`
elements with text in `<option>` elements are vulnerable to XSS as
disclosed in

https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit?usp=sharing

This changes behavior for rendering of `<style>` element text so may
change behavior.

Specifically, `<style>` element text that includes the strings `-->`
or `]]>` will no longer sanitize.

Rather than mucking with `<style>` tag content in all cases, this is a more
tailored fix to the recent vulnerability that just closes `<style>` elements
when we realize they're in a dodgy parsing context.

As described in issue OWASP#254 `&para` is a full complete character
reference when decoding text node content, but not when
decoding attribute content which causes problems for URL attribute
values like

    /test?param1=foo&param2=bar

As shown via JS test code in that issue, a small set of
next characters prevent a character reference name match
from being considered complete.

This commit:
- modifies the decode functions to take an extra parameter
  `boolean inAttribute`, and modifies the Trie traversal
  loops to not store a longest match so far based on that
  parameter and some next character tests
- modifies the HTML lexer to pass that attribute appropriately
- for backwards compat, leaves the old APIs in place but `@deprecated`
- adds unit tests for the decode functions
- adds a unit test for the specific input from the issue

This change should make us more conformant with observed
browser behaviour so is not expected to cause compatibility
problems for existing users.

Fixes OWASP#254

…P#266)

CssTokens code assumed that consumeIdentOrUrlOrFunctions always
returned a token type and consumed characters.

This commit audits all uses of that function and checks that
they make progress.