From ba524e2392e92816e09c3edd119010934b3372fc Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Mon, 23 Mar 2020 09:20:26 +0100
Subject: [PATCH 1/7] issue-#310-coding-done

---
 .../validation/HTMLValidationRule.java        | 29 +++++++++++++++----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index 0670860d9..54076ba02 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -46,22 +46,39 @@ public class HTMLValidationRule extends StringValidationRule {
 	/** OWASP AntiSamy markup verification policy */
 	private static Policy antiSamyPolicy = null;
 	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" );
+	private static final String ANTISAMYPOLICY_FILENAME = "antisamy-esapi.xml";
 
 	static {
         InputStream resourceStream = null;
 		try {
-			resourceStream = ESAPI.securityConfiguration().getResourceStream("antisamy-esapi.xml");
+			resourceStream = ESAPI.securityConfiguration().getResourceStream(ANTISAMYPOLICY_FILENAME);
 		} catch (IOException e) {
-			throw new ConfigurationException("Couldn't find antisamy-esapi.xml", e);
-	            }
+			LOGGER.info(null,"Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
+
+            ClassLoader[] loaders = new ClassLoader[] {
+                    Thread.currentThread().getContextClassLoader(),
+                    ClassLoader.getSystemClassLoader(),
+                    HTMLValidationRule.class.getClassLoader()
+            };
+            for(ClassLoader loader : loaders) {
+                resourceStream = loader.getResourceAsStream(ANTISAMYPOLICY_FILENAME);
+                if(resourceStream!=null) {
+                    LOGGER.info(null, "Successfully loaded " + ANTISAMYPOLICY_FILENAME + " from classpath");
+                    break;
+                }
+            }
+	    }
         if (resourceStream != null) {
         	try {
 				antiSamyPolicy = Policy.getInstance(resourceStream);
 			} catch (PolicyException e) {
-				throw new ConfigurationException("Couldn't parse antisamy policy", e);
-		        }
-			}
+				throw new ConfigurationException("Couldn't parse " + ANTISAMYPOLICY_FILENAME, e);
+	        }
+		}
+        else {
+            throw new ConfigurationException("Couldn't find " + ANTISAMYPOLICY_FILENAME);
 		}
+	}
 
 	public HTMLValidationRule( String typeName ) {
 		super( typeName );

From 459e82e76fae6c97892006aa17c49ca4952ffc7f Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Mon, 23 Mar 2020 14:54:49 +0100
Subject: [PATCH 2/7] issue-#310-fixed-testclases-package

---
 .../esapi/reference/validation/HTMLValidationRuleCleanTest.java | 2 +-
 .../reference/validation/HTMLValidationRuleThrowsTest.java      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index dfed45607..8bbb5f756 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -13,7 +13,7 @@
  * @author kevin.w.wall@gmail.com
  * @since 2019
  */
-package org.owasp.esapi.reference;
+package org.owasp.esapi.reference.validation;
 
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.EncoderConstants;
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
index 6726ef56f..7605462aa 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
@@ -13,7 +13,7 @@
  * @author kevin.w.wall@gmail.com
  * @since 2019
  */
-package org.owasp.esapi.reference;
+package org.owasp.esapi.reference.validation;
 
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.SecurityConfiguration;

From 159e96692cbd2687bd13f64460388a8f2c0460a4 Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Wed, 25 Mar 2020 09:09:50 +0100
Subject: [PATCH 3/7] issue-ESAPI#310-tested-and-cleaned-code

---
 .../owasp/esapi/SecurityConfiguration.java    |  6 ++
 .../DefaultSecurityConfiguration.java         | 58 +++++++++++++++++++
 .../validation/HTMLValidationRule.java        | 21 ++-----
 3 files changed, 70 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
index ed326d6ae..5772792e5 100644
--- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -640,6 +640,12 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      */
     InputStream getResourceStream( String filename ) throws IOException;
 
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+     *
+     * @param fileName The resource file filename.
+     */
+	InputStream getResourceStreamFromClasspath( String fileName );
     	
 	/**
 	 * Sets the ESAPI resource directory.
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
index d578850ba..050a776c2 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -627,6 +627,64 @@ public File getResourceFile(String filename) {
 		return null;
 	}
 	
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+     *
+     * @param fileName The resource file filename.
+     */
+	public InputStream getResourceStreamFromClasspath(String fileName) {
+		InputStream resourceStream = null;
+		
+		ClassLoader[] loaders = new ClassLoader[] {
+				Thread.currentThread().getContextClassLoader(),
+				ClassLoader.getSystemClassLoader(),
+				getClass().getClassLoader() 
+		};
+		
+        for (ClassLoader loader : loaders) {
+			// try root
+			String currentClasspathSearchLocation = "/ (root)";
+            resourceStream = loader.getResourceAsStream(DefaultSearchPath.ROOT.value() + fileName);
+			
+			// try resourceDirectory folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = resourceDirectory + "/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCE_DIRECTORY.value() + fileName);
+			}
+			
+			// try .esapi folder. Look here first for backward compatibility.
+			if (resourceStream == null){
+				currentClasspathSearchLocation = ".esapi/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.DOT_ESAPI.value() + fileName);
+			}
+
+			// try esapi folder (new directory)
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "esapi/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.ESAPI.value() + fileName);
+			}
+
+			// try resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "resources/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCES.value() + fileName);
+			}
+
+			// try src/main/resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "src/main/resources/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.SRC_MAIN_RESOURCES.value() + fileName);
+			}
+
+            if (resourceStream != null) {
+				logSpecial("SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + currentClasspathSearchLocation + "'!");
+                break; // Outta here since we've found and loaded it.
+            }
+        }
+		
+		return resourceStream;
+	}
+	
     /**
      * Used to load ESAPI.properties from a variety of different classpath locations.
      *
diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index 54076ba02..923b74bbd 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -16,6 +16,7 @@
 package org.owasp.esapi.reference.validation;
 
 import java.io.IOException;
+import java.io.FileNotFoundException;
 import java.io.InputStream;
 import java.util.List;
 
@@ -53,21 +54,11 @@ public class HTMLValidationRule extends StringValidationRule {
 		try {
 			resourceStream = ESAPI.securityConfiguration().getResourceStream(ANTISAMYPOLICY_FILENAME);
 		} catch (IOException e) {
-			LOGGER.info(null,"Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
-
-            ClassLoader[] loaders = new ClassLoader[] {
-                    Thread.currentThread().getContextClassLoader(),
-                    ClassLoader.getSystemClassLoader(),
-                    HTMLValidationRule.class.getClassLoader()
-            };
-            for(ClassLoader loader : loaders) {
-                resourceStream = loader.getResourceAsStream(ANTISAMYPOLICY_FILENAME);
-                if(resourceStream!=null) {
-                    LOGGER.info(null, "Successfully loaded " + ANTISAMYPOLICY_FILENAME + " from classpath");
-                    break;
-                }
-            }
-	    }
+			
+			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
+
+			resourceStream = ESAPI.securityConfiguration().getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
+		}
         if (resourceStream != null) {
         	try {
 				antiSamyPolicy = Policy.getInstance(resourceStream);

From 4624c23f0586d44e8c76df35f7e55edd2279c18e Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Wed, 25 Mar 2020 09:16:51 +0100
Subject: [PATCH 4/7] issue-ESAPI#310-removed-an-useless-import

---
 .../org/owasp/esapi/reference/validation/HTMLValidationRule.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index 923b74bbd..f481aedc5 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -16,7 +16,6 @@
 package org.owasp.esapi.reference.validation;
 
 import java.io.IOException;
-import java.io.FileNotFoundException;
 import java.io.InputStream;
 import java.util.List;
 

From 24ac423837206bd33ba10e1c9867a533208410bf Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Mon, 30 Mar 2020 09:23:00 +0200
Subject: [PATCH 5/7] issue-#310-fixed-review-comments

---
 .../owasp/esapi/SecurityConfiguration.java    |  7 --
 .../DefaultSecurityConfiguration.java         | 58 ---------------
 .../validation/HTMLValidationRule.java        | 74 ++++++++++++++++++-
 3 files changed, 73 insertions(+), 66 deletions(-)

diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
index 5772792e5..57bfcca38 100644
--- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -640,13 +640,6 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      */
     InputStream getResourceStream( String filename ) throws IOException;
 
-    /**
-     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
-     *
-     * @param fileName The resource file filename.
-     */
-	InputStream getResourceStreamFromClasspath( String fileName );
-    	
 	/**
 	 * Sets the ESAPI resource directory.
 	 * 
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
index 050a776c2..d578850ba 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -627,64 +627,6 @@ public File getResourceFile(String filename) {
 		return null;
 	}
 	
-    /**
-     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
-     *
-     * @param fileName The resource file filename.
-     */
-	public InputStream getResourceStreamFromClasspath(String fileName) {
-		InputStream resourceStream = null;
-		
-		ClassLoader[] loaders = new ClassLoader[] {
-				Thread.currentThread().getContextClassLoader(),
-				ClassLoader.getSystemClassLoader(),
-				getClass().getClassLoader() 
-		};
-		
-        for (ClassLoader loader : loaders) {
-			// try root
-			String currentClasspathSearchLocation = "/ (root)";
-            resourceStream = loader.getResourceAsStream(DefaultSearchPath.ROOT.value() + fileName);
-			
-			// try resourceDirectory folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = resourceDirectory + "/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCE_DIRECTORY.value() + fileName);
-			}
-			
-			// try .esapi folder. Look here first for backward compatibility.
-			if (resourceStream == null){
-				currentClasspathSearchLocation = ".esapi/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.DOT_ESAPI.value() + fileName);
-			}
-
-			// try esapi folder (new directory)
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "esapi/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.ESAPI.value() + fileName);
-			}
-
-			// try resources folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "resources/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCES.value() + fileName);
-			}
-
-			// try src/main/resources folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "src/main/resources/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.SRC_MAIN_RESOURCES.value() + fileName);
-			}
-
-            if (resourceStream != null) {
-				logSpecial("SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + currentClasspathSearchLocation + "'!");
-                break; // Outta here since we've found and loaded it.
-            }
-        }
-		
-		return resourceStream;
-	}
-	
     /**
      * Used to load ESAPI.properties from a variety of different classpath locations.
      *
diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index f481aedc5..bf7296130 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -30,6 +30,7 @@
 import org.owasp.validator.html.Policy;
 import org.owasp.validator.html.PolicyException;
 import org.owasp.validator.html.ScanException;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
 
 
 /**
@@ -48,6 +49,77 @@ public class HTMLValidationRule extends StringValidationRule {
 	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" );
 	private static final String ANTISAMYPOLICY_FILENAME = "antisamy-esapi.xml";
 
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+	 * The classpath locations are the same classpath locations as used to load esapi.properties.
+	 * See DefaultSecurityConfiguration.DefaultSearchPath.
+     *
+     * @param fileName The resource file filename.
+     */
+	private static InputStream getResourceStreamFromClasspath(String fileName) {
+		InputStream resourceStream = null;
+		
+		ClassLoader[] loaders = new ClassLoader[] {
+				Thread.currentThread().getContextClassLoader(),
+				ClassLoader.getSystemClassLoader(),
+				ESAPI.securityConfiguration().getClass().getClassLoader()  
+						/* can't use just getClass.getClassLoader() in a static context, so using the DefaultSecurityConfiguration class. */
+		};
+		
+		String[] classLoaderNames = {
+				"current thread context class loader",
+				"system class loader",
+				"class loader for DefaultSecurityConfiguration class"
+		};
+		
+		int i = 0;
+        for (ClassLoader loader : loaders) {
+			// try root
+			String currentClasspathSearchLocation = "/ (root)";
+            resourceStream = loader.getResourceAsStream(DefaultSecurityConfiguration.DefaultSearchPath.ROOT.value() + fileName);
+			
+			// try resourceDirectory folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCE_DIRECTORY.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+			
+			// try .esapi folder. Look here first for backward compatibility.
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.DOT_ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try esapi folder (new directory)
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try src/main/resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.SRC_MAIN_RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+            if (resourceStream != null) {
+				LOGGER.info(Logger.EVENT_FAILURE, "SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + 
+					currentClasspathSearchLocation + "' using " + classLoaderNames[i] + "!");
+                break; // Outta here since we've found and loaded it.
+            }
+			
+			i++;
+        }
+		
+		return resourceStream;
+	}
+
 	static {
         InputStream resourceStream = null;
 		try {
@@ -56,7 +128,7 @@ public class HTMLValidationRule extends StringValidationRule {
 			
 			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
 
-			resourceStream = ESAPI.securityConfiguration().getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
+			resourceStream = getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
 		}
         if (resourceStream != null) {
         	try {

From 40a632211d4407a0e7fb4b409f03d327321fedce Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Sun, 12 Apr 2020 12:17:07 +0200
Subject: [PATCH 6/7] issue-ESAPI#310-filename-configurable-and-added-testclass

---
 .../DefaultSecurityConfiguration.java         |   1 +
 .../validation/HTMLValidationRule.java        |  23 +-
 .../HTMLValidationRuleClasspathTest.java      | 171 ++++++
 src/test/resources/antisamy-esapi-CP.xml      | 492 ++++++++++++++++++
 4 files changed, 682 insertions(+), 5 deletions(-)
 create mode 100644 src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
 create mode 100644 src/test/resources/antisamy-esapi-CP.xml

diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
index d578850ba..24337e14a 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -159,6 +159,7 @@ public static SecurityConfiguration getInstance() {
     public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
     public static final String ACCEPT_LENIENT_DATES = "Validator.AcceptLenientDates";
     public static final String VALIDATOR_HTML_VALIDATION_ACTION = "Validator.HtmlValidationAction";
+	public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = "Validator.HtmlValidationConfigurationFile";
 
     /**
      * Special {@code System} property that, if set to {@code true}, will
diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index bf7296130..f68253cd1 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -122,23 +122,36 @@ private static InputStream getResourceStreamFromClasspath(String fileName) {
 
 	static {
         InputStream resourceStream = null;
+		String antisamyPolicyFilename = null;
+		
+		try {
+			antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp(
+                    // Future: This will be moved to a new PropNames class
+                org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
+		} catch (ConfigurationException cex) {
+			
+            LOGGER.info(Logger.EVENT_FAILURE, "ESAPI property " + 
+                           org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
+                           " not set, using default value: " + ANTISAMYPOLICY_FILENAME);
+			antisamyPolicyFilename = ANTISAMYPOLICY_FILENAME;
+		}
 		try {
-			resourceStream = ESAPI.securityConfiguration().getResourceStream(ANTISAMYPOLICY_FILENAME);
+			resourceStream = ESAPI.securityConfiguration().getResourceStream(antisamyPolicyFilename);
 		} catch (IOException e) {
 			
-			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
+			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + antisamyPolicyFilename + " from classpaths");
 
-			resourceStream = getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
+			resourceStream = getResourceStreamFromClasspath(antisamyPolicyFilename);
 		}
         if (resourceStream != null) {
         	try {
 				antiSamyPolicy = Policy.getInstance(resourceStream);
 			} catch (PolicyException e) {
-				throw new ConfigurationException("Couldn't parse " + ANTISAMYPOLICY_FILENAME, e);
+				throw new ConfigurationException("Couldn't parse " + antisamyPolicyFilename, e);
 	        }
 		}
         else {
-            throw new ConfigurationException("Couldn't find " + ANTISAMYPOLICY_FILENAME);
+            throw new ConfigurationException("Couldn't find " + antisamyPolicyFilename);
 		}
 	}
 
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
new file mode 100644
index 000000000..f032059d1
--- /dev/null
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
@@ -0,0 +1,171 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2019 - The OWASP Foundation
+ *
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ *
+ * @author kevin.w.wall@gmail.com
+ * @since 2019
+ */
+package org.owasp.esapi.reference.validation;
+
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.SecurityConfiguration;
+import org.owasp.esapi.SecurityConfigurationWrapper;
+import org.owasp.esapi.ValidationErrorList;
+import org.owasp.esapi.ValidationRule;
+import org.owasp.esapi.Validator;
+import org.owasp.esapi.errors.ValidationException;
+import org.owasp.esapi.reference.validation.HTMLValidationRule;
+
+import org.junit.Test;
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Rule;
+import org.junit.rules.ExpectedException;
+import static org.junit.Assert.*;
+
+/**
+ * The Class HTMLValidationRuleThrowsTest.
+ *
+ * Based on original test cases, testGetValidSafeHTML() and
+ * testIsValidSafeHTML() from ValidatorTest by
+ *      Mike Fauzy (mike.fauzy@aspectsecurity.com) and
+ *      Jeff Williams (jeff.williams@aspectsecurity.com)
+ * that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java.
+ *
+ * This class tests the cases where the new ESAPI.property
+ *      Validator.HtmlValidationAction
+ * is set to "throw", which causes certain calls to
+ * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML()
+ * to throw a ValidationException rather than simply logging a warning and returning
+ * the cleansed (sanitizied) output when certain unsafe input is encountered.
+ */
+public class HTMLValidationRuleClasspathTest {
+	private static class ConfOverride extends SecurityConfigurationWrapper {
+        private String desiredReturnAction = "clean";
+        private String desiredReturnConfigurationFile = "antisamy-esapi.xml";
+
+		ConfOverride(SecurityConfiguration orig, String desiredReturnAction, String desiredReturnConfigurationFile) {
+			super(orig);
+            this.desiredReturnAction = desiredReturnAction;
+			this.desiredReturnConfigurationFile = desiredReturnConfigurationFile;
+		}
+
+		@Override
+		public String getStringProp(String propName) {
+            // Would it be better making this file a static import?
+			if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION ) ) {
+                return desiredReturnAction;
+            } else if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE ) ) {
+                return desiredReturnConfigurationFile;
+            } else {
+                return super.getStringProp( propName );
+            }
+        }
+    }
+
+    // Must be public!
+    @Rule
+    public ExpectedException thrownEx = ExpectedException.none();
+
+    @After
+    public void tearDown() throws Exception {
+        ESAPI.override(null);
+        thrownEx = ExpectedException.none();
+    }
+
+	@Before
+    public void setUp() throws Exception {
+		ESAPI.override(
+			new ConfOverride( ESAPI.securityConfiguration(), "throw", "antisamy-esapi-CP.xml" )
+		);
+
+    }
+
+    @Test
+    public void testGetValid() throws Exception {
+        System.out.println("getValidCP");
+        Validator instance = ESAPI.validator();
+        HTMLValidationRule rule = new HTMLValidationRule("testCP");
+        ESAPI.validator().addRule(rule);
+
+        thrownEx.expect(ValidationException.class);
+        thrownEx.expectMessage("test: Invalid HTML input");
+
+        instance.getRule("testCP").getValid("test", "Test. <script>alert(document.cookie)</script>");
+    }
+
+    @Test
+    public void testGetValidSafeHTML() throws Exception {
+        System.out.println("getValidSafeHTML");
+        Validator instance = ESAPI.validator();
+
+        HTMLValidationRule rule = new HTMLValidationRule("test");
+        ESAPI.validator().addRule(rule);
+
+        String[] testInput = {
+                                // These first two don't cause AntiSamy to throw.
+                        // "Test. <a href=\"http://www.aspectsecurity.com\">Aspect Security</a>",
+                        // "Test. <<div on<script></script>load=alert()",
+                        "Test. <script>alert(document.cookie)</script>",
+                        "Test. <script>alert(document.cookie)</script>",
+                        "Test. <div style={xss:expression(xss)}>b</div>",
+                        "Test. <s%00cript>alert(document.cookie)</script>",
+                        "Test. <s\tcript>alert(document.cookie)</script>",
+                        "Test. <s\tcript>alert(document.cookie)</script>"
+        };
+
+        int errors = 0;
+        for( int i = 0; i < testInput.length; i++ ) {
+            try {
+                String result = instance.getValidSafeHTML("test", testInput[i], 100, false);
+                errors++;
+                System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] + "' failed to throw.");
+            }
+            catch( ValidationException vex ) {
+                System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] + "' returned:");
+                System.out.println("\t" + i + ": logMsg =" + vex.getLogMessage());
+                assertEquals( vex.getUserMessage(), "test: Invalid HTML input");
+            }
+            catch( Exception ex ) {
+                errors++;
+                System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] +
+                                   "' threw wrong exception type: " + ex.getClass().getName() );
+            }
+        }
+
+        if ( errors > 0 ) {
+            fail("testGetValidSafeHTML() encountered " + errors + " failures.");
+        }
+    }
+
+    @Test
+    public void testIsValidSafeHTML() {
+        System.out.println("isValidSafeHTML");
+        Validator instance = ESAPI.validator();
+        thrownEx = ExpectedException.none();    // Not expecting any exceptions here.
+
+        assertTrue(instance.isValidSafeHTML("test", "<b>Jeff</b>", 100, false));
+        assertTrue(instance.isValidSafeHTML("test", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false));
+        assertFalse(instance.isValidSafeHTML("test", "Test. <script>alert(document.cookie)</script>", 100, false));
+        assertFalse(instance.isValidSafeHTML("test", "Test. <div style={xss:expression(xss)}>", 100, false));
+        assertFalse(instance.isValidSafeHTML("test", "Test. <s%00cript>alert(document.cookie)</script>", 100, false));
+        assertFalse(instance.isValidSafeHTML("test", "Test. <s\tcript>alert(document.cookie)</script>", 100, false));
+        assertFalse(instance.isValidSafeHTML("test", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false));
+
+        ValidationErrorList errors = new ValidationErrorList();
+        assertFalse(instance.isValidSafeHTML("test1", "Test. <script>alert(document.cookie)</script>", 100, false, errors));
+        assertFalse(instance.isValidSafeHTML("test2", "Test. <div style={xss:expression(xss)}>", 100, false, errors));
+        assertFalse(instance.isValidSafeHTML("test3", "Test. <s%00cript>alert(document.cookie)</script>", 100, false, errors));
+        assertFalse(instance.isValidSafeHTML("test4", "Test. <s\tcript>alert(document.cookie)</script>", 100, false, errors));
+        assertFalse(instance.isValidSafeHTML("test5", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false, errors));
+        assertTrue( errors.size() == 5 );
+    }
+}
diff --git a/src/test/resources/antisamy-esapi-CP.xml b/src/test/resources/antisamy-esapi-CP.xml
new file mode 100644
index 000000000..14880d0b5
--- /dev/null
+++ b/src/test/resources/antisamy-esapi-CP.xml
@@ -0,0 +1,492 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+	
+<!-- 
+W3C rules retrieved from:
+http://www.w3.org/TR/html401/struct/global.html
+-->
+	
+<!--
+Slashdot allowed tags taken from "Reply" page:
+<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
+-->
+
+<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xsi:noNamespaceSchemaLocation="antisamy.xsd">
+	
+	<directives>
+		<directive name="omitXmlDeclaration" value="true"/>
+		<directive name="omitDoctypeDeclaration" value="true"/>
+		<directive name="maxInputSize" value="500000"/>
+		<directive name="embedStyleSheets" value="false"/>
+	</directives>
+	
+	
+	<common-regexps>
+		
+		<!-- 
+		From W3C:
+		This attribute assigns a class name or set of class names to an
+		element. Any number of elements may be assigned the same class
+		name or names. Multiple class names must be separated by white 
+		space characters.
+		-->
+		
+		<regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
+		<regexp name="onsiteURL" value="([\w\\/\.\?=&amp;;\#-~]+|\#(\w)+)"/>
+		<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&amp;;:,\?=/\+!]*(\s)*"/>
+	
+	</common-regexps>
+	
+	<!-- 
+	
+	Tag.name = a, b, div, body, etc.
+	Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
+	Attribute.name = id, class, href, align, width, etc.
+	Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
+	Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
+	 
+	 -->
+
+	<!-- 
+	Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
+	collisions between any of these attribute names with attribute names of other tags that are for different purposes.
+	-->
+
+	<common-attributes>
+		
+
+		<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
+		 	<regexp-list>
+		 		<regexp value="[a-zA-Z]{2,20}"/>
+		 	</regexp-list>
+		 </attribute>
+		 
+		 <attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
+		 	<regexp-list>
+		 		<regexp name="htmlTitle"/>
+		 	</regexp-list>
+		 </attribute>
+
+		<attribute name="href" onInvalid="filterTag">
+			<regexp-list>
+				<regexp name="onsiteURL"/>
+				<regexp name="offsiteURL"/>
+			</regexp-list>
+		</attribute>
+	
+		<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
+			<literal-list>
+				<literal value="center"/>
+				<literal value="left"/>
+				<literal value="right"/>
+				<literal value="justify"/>
+				<literal value="char"/>
+			</literal-list>
+		</attribute>
+
+	</common-attributes>
+
+
+	<!--
+	This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
+	this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after 
+	a while?
+	 -->
+	
+	<global-tag-attributes>
+		<attribute name="title"/>
+		<attribute name="lang"/>
+	</global-tag-attributes>
+
+
+	<tag-rules>
+
+		<!-- Tags related to JavaScript -->
+
+		<tag name="script" action="remove"/>
+		<tag name="noscript" action="remove"/>
+		
+		<!-- Frame & related tags -->
+		
+		<tag name="iframe" action="remove"/>
+		<tag name="frameset" action="remove"/>
+		<tag name="frame" action="remove"/>
+		<tag name="noframes" action="remove"/>
+		
+
+		<!-- All reasonable formatting tags -->
+		
+		<tag name="p" action="validate">
+			<attribute name="align"/>
+		</tag>
+
+		<tag name="div" action="validate"/>		
+		<tag name="i" action="validate"/>
+		<tag name="b" action="validate"/>
+		<tag name="em" action="validate"/>
+		<tag name="blockquote" action="validate"/>
+		<tag name="tt" action="validate"/>
+		
+		<tag name="br" action="truncate"/>
+
+		<!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag="" attribute -->
+		
+		<tag name="quote" action="validate"/>
+		<tag name="ecode" action="validate"/> 
+		
+						
+		<!-- Anchor and anchor related tags -->
+		
+		<tag name="a" action="validate">
+
+			<attribute name="href" onInvalid="filterTag"/>
+			<attribute name="nohref">
+				<literal-list>
+					<literal value="nohref"/>
+					<literal value=""/>
+				</literal-list>
+			</attribute>
+			<attribute name="rel">
+				<literal-list>
+					<literal value="nofollow"/>
+				</literal-list>
+			</attribute>
+		</tag>
+
+		<!-- List tags -->
+
+		<tag name="ul" action="validate"/>
+		<tag name="ol" action="validate"/>
+		<tag name="li" action="validate"/>
+		
+	</tag-rules>
+
+
+
+	<!--  No CSS on Slashdot posts -->
+
+	<css-rules>
+	</css-rules>
+
+
+	<html-entities>
+		<entity name="amp" cdata="&amp;"/>
+		<entity name="nbsp" cdata="&amp;#160;"/>
+		
+		<entity name="iexcl" cdata="&amp;#161;"/> <!--inverted exclamation mark, U+00A1 ISOnum -->
+		<entity name="cent" cdata="&amp;#162;"/> <!--cent sign, U+00A2 ISOnum -->
+		<entity name="pound" cdata="&amp;#163;"/> <!--pound sign, U+00A3 ISOnum -->
+		<entity name="curren" cdata="&amp;#164;"/> <!--currency sign, U+00A4 ISOnum -->
+		<entity name="yen" cdata="&amp;#165;"/> <!--yen sign = yuan sign, U+00A5 ISOnum -->
+		<entity name="brvbar" cdata="&amp;#166;"/> <!--broken bar = broken vertical bar, U+00A6 ISOnum -->
+		<entity name="sect" cdata="&amp;#167;"/> <!--section sign, U+00A7 ISOnum -->
+		<entity name="uml" cdata="&amp;#168;"/> <!--diaeresis = spacing diaeresis, U+00A8 ISOdia -->
+		<entity name="copy" cdata="&amp;#169;"/> <!--copyright sign, U+00A9 ISOnum -->
+		<entity name="ordf" cdata="&amp;#170;"/> <!--feminine ordinal indicator, U+00AA ISOnum -->
+		<entity name="laquo" cdata="&amp;#171;"/> <!--left-pointing double angle quotation mark = left pointing guillemet, U+00AB ISOnum -->
+		<entity name="not" cdata="&amp;#172;"/> <!--not sign, U+00AC ISOnum -->
+		<entity name="shy" cdata="&amp;#173;"/> <!--soft hyphen = discretionary hyphen,U+00AD ISOnum -->
+		<entity name="reg" cdata="&amp;#174;"/> <!--registered sign = registered trade mark sign, U+00AE ISOnum -->
+		<entity name="macr" cdata="&amp;#175;"/> <!--macron = spacing macron = overline = APL overbar, U+00AF ISOdia -->
+		<entity name="deg" cdata="&amp;#176;"/> <!--degree sign, U+00B0 ISOnum -->
+		<entity name="plusmn" cdata="&amp;#177;"/> <!--plus-minus sign = plus-or-minus sign, U+00B1 ISOnum -->
+		<entity name="sup2" cdata="&amp;#178;"/> <!--superscript two = superscript digit two = squared, U+00B2 ISOnum -->
+		<entity name="sup3" cdata="&amp;#179;"/> <!--superscript three = superscript digit three= cubed, U+00B3 ISOnum -->
+		<entity name="acute" cdata="&amp;#180;"/> <!--acute accent = spacing acute, U+00B4 ISOdia -->
+		<entity name="micro" cdata="&amp;#181;"/> <!--micro sign, U+00B5 ISOnum -->
+		<entity name="para" cdata="&amp;#182;"/> <!--pilcrow sign = paragraph sign, U+00B6 ISOnum -->
+		<entity name="middot" cdata="&amp;#183;"/> <!--middle dot = Georgian comma = Greek middle dot, U+00B7 ISOnum -->
+		<entity name="cedil" cdata="&amp;#184;"/> <!--cedilla = spacing cedilla, U+00B8 ISOdia -->
+		<entity name="sup1" cdata="&amp;#185;"/> <!--superscript one = superscript digit one,U+00B9 ISOnum -->
+		<entity name="ordm" cdata="&amp;#186;"/> <!--masculine ordinal indicator, U+00BA ISOnum -->
+		<entity name="raquo" cdata="&amp;#187;"/> <!--right-pointing double angle quotation mark = right pointing guillemet, U+00BB ISOnum -->
+		<entity name="frac14" cdata="&amp;#188;"/> <!--vulgar fraction one quarter = fraction one quarter, U+00BC ISOnum -->
+		<entity name="frac12" cdata="&amp;#189;"/> <!--vulgar fraction one half = fraction one half, U+00BD ISOnum -->
+		<entity name="frac34" cdata="&amp;#190;"/> <!--vulgar fraction three quarters = fraction three quarters, U+00BE ISOnum -->
+		<entity name="iquest" cdata="&amp;#191;"/> <!--inverted question mark = turned question mark, U+00BF ISOnum -->
+		<entity name="Agrave" cdata="&amp;#192;"/> <!--latin capital letter A with grave = latin capital letter A grave,U+00C0 ISOlat1 -->
+		<entity name="Aacute" cdata="&amp;#193;"/> <!--latin capital letter A with acute,U+00C1 ISOlat1 -->
+		<entity name="Acirc" cdata="&amp;#194;"/> <!--latin capital letter A with circumflex,U+00C2 ISOlat1 -->
+		<entity name="Atilde" cdata="&amp;#195;"/> <!--latin capital letter A with tilde,U+00C3 ISOlat1 -->
+		<entity name="Auml" cdata="&amp;#196;"/> <!--latin capital letter A with diaeresis,U+00C4 ISOlat1 -->
+		<entity name="Aring" cdata="&amp;#197;"/> <!--latin capital letter A with ring above = latin capital letter A ring, U+00C5 ISOlat1 -->
+		<entity name="AElig" cdata="&amp;#198;"/> <!--latin capital letter AE = latin capital ligature AE, U+00C6 ISOlat1 -->
+		<entity name="Ccedil" cdata="&amp;#199;"/> <!--latin capital letter C with cedilla, U+00C7 ISOlat1 -->
+		<entity name="Egrave" cdata="&amp;#200;"/> <!--latin capital letter E with grave, U+00C8 ISOlat1 -->
+		<entity name="Eacute" cdata="&amp;#201;"/> <!--latin capital letter E with acute,U+00C9 ISOlat1 -->
+		<entity name="Ecirc" cdata="&amp;#202;"/> <!--latin capital letter E with circumflex,U+00CA ISOlat1 -->
+		<entity name="Euml" cdata="&amp;#203;"/> <!--latin capital letter E with diaeresis, U+00CB ISOlat1 -->
+		<entity name="Igrave" cdata="&amp;#204;"/> <!--latin capital letter I with grave, U+00CC ISOlat1 -->
+		<entity name="Iacute" cdata="&amp;#205;"/> <!--latin capital letter I with acute, U+00CD ISOlat1 -->
+		<entity name="Icirc" cdata="&amp;#206;"/> <!--latin capital letter I with circumflex, U+00CE ISOlat1 -->
+		<entity name="Iuml" cdata="&amp;#207;"/> <!--latin capital letter I with diaeresis, U+00CF ISOlat1 -->
+		<entity name="ETH" cdata="&amp;#208;"/> <!--latin capital letter ETH, U+00D0 ISOlat1 -->
+		<entity name="Ntilde" cdata="&amp;#209;"/> <!--latin capital letter N with tilde, U+00D1 ISOlat1 -->
+		<entity name="Ograve" cdata="&amp;#210;"/> <!--latin capital letter O with grave, U+00D2 ISOlat1 -->
+		<entity name="Oacute" cdata="&amp;#211;"/> <!--latin capital letter O with acute, U+00D3 ISOlat1 -->
+		<entity name="Ocirc" cdata="&amp;#212;"/> <!--latin capital letter O with circumflex, U+00D4 ISOlat1 -->
+		<entity name="Otilde" cdata="&amp;#213;"/> <!--latin capital letter O with tilde, U+00D5 ISOlat1 -->
+		<entity name="Ouml" cdata="&amp;#214;"/> <!--latin capital letter O with diaeresis, U+00D6 ISOlat1 -->
+		<entity name="times" cdata="&amp;#215;"/> <!--multiplication sign, U+00D7 ISOnum -->
+		<entity name="Oslash" cdata="&amp;#216;"/> <!--latin capital letter O with stroke = latin capital letter O slash, U+00D8 ISOlat1 -->
+		<entity name="Ugrave" cdata="&amp;#217;"/> <!--latin capital letter U with grave, U+00D9 ISOlat1 -->
+		<entity name="Uacute" cdata="&amp;#218;"/> <!--latin capital letter U with acute, U+00DA ISOlat1 -->
+		<entity name="Ucirc" cdata="&amp;#219;"/> <!--latin capital letter U with circumflex, U+00DB ISOlat1 -->
+		<entity name="Uuml" cdata="&amp;#220;"/> <!--latin capital letter U with diaeresis, U+00DC ISOlat1 -->
+		<entity name="Yacute" cdata="&amp;#221;"/> <!--latin capital letter Y with acute, U+00DD ISOlat1 -->
+		<entity name="THORN" cdata="&amp;#222;"/> <!--latin capital letter THORN, U+00DE ISOlat1 -->
+		<entity name="szlig" cdata="&amp;#223;"/> <!--latin small letter sharp s = ess-zed, U+00DF ISOlat1 -->
+		<entity name="agrave" cdata="&amp;#224;"/> <!--latin small letter a with grave = latin small letter a grave, U+00E0 ISOlat1 -->
+		<entity name="aacute" cdata="&amp;#225;"/> <!--latin small letter a with acute, U+00E1 ISOlat1 -->
+		<entity name="acirc" cdata="&amp;#226;"/> <!--latin small letter a with circumflex, U+00E2 ISOlat1 -->
+		<entity name="atilde" cdata="&amp;#227;"/> <!--latin small letter a with tilde, U+00E3 ISOlat1 -->
+		<entity name="auml" cdata="&amp;#228;"/> <!--latin small letter a with diaeresis, U+00E4 ISOlat1 -->
+		<entity name="aring" cdata="&amp;#229;"/> <!--latin small letter a with ring above = latin small letter a ring, U+00E5 ISOlat1 -->
+		<entity name="aelig" cdata="&amp;#230;"/> <!--latin small letter ae = latin small ligature ae, U+00E6 ISOlat1 -->
+		<entity name="ccedil" cdata="&amp;#231;"/> <!--latin small letter c with cedilla, U+00E7 ISOlat1 -->
+		<entity name="egrave" cdata="&amp;#232;"/> <!--latin small letter e with grave, U+00E8 ISOlat1 -->
+		<entity name="eacute" cdata="&amp;#233;"/> <!--latin small letter e with acute, U+00E9 ISOlat1 -->
+		<entity name="ecirc" cdata="&amp;#234;"/> <!--latin small letter e with circumflex, U+00EA ISOlat1 -->
+		<entity name="euml" cdata="&amp;#235;"/> <!--latin small letter e with diaeresis, U+00EB ISOlat1 -->
+		<entity name="igrave" cdata="&amp;#236;"/> <!--latin small letter i with grave, U+00EC ISOlat1 -->
+		<entity name="iacute" cdata="&amp;#237;"/> <!--latin small letter i with acute, U+00ED ISOlat1 -->
+		<entity name="icirc" cdata="&amp;#238;"/> <!--latin small letter i with circumflex, U+00EE ISOlat1 -->
+		<entity name="iuml" cdata="&amp;#239;"/> <!--latin small letter i with diaeresis, U+00EF ISOlat1 -->
+		<entity name="eth" cdata="&amp;#240;"/> <!--latin small letter eth, U+00F0 ISOlat1 -->
+		<entity name="ntilde" cdata="&amp;#241;"/> <!--latin small letter n with tilde, U+00F1 ISOlat1 -->
+		<entity name="ograve" cdata="&amp;#242;"/> <!--latin small letter o with grave, U+00F2 ISOlat1 -->
+		<entity name="oacute" cdata="&amp;#243;"/> <!--latin small letter o with acute, U+00F3 ISOlat1 -->
+		<entity name="ocirc " cdata="&amp;#244;"/> <!--latin small letter o with circumflex, U+00F4 ISOlat1 -->
+		<entity name="otilde" cdata="&amp;#245;"/> <!--latin small letter o with tilde, U+00F5 ISOlat1 -->
+		<entity name="ouml" cdata="&amp;#246;"/> <!--latin small letter o with diaeresis, U+00F6 ISOlat1 -->
+		<entity name="divide" cdata="&amp;#247;"/> <!--division sign, U+00F7 ISOnum -->
+		<entity name="oslash" cdata="&amp;#248;"/> <!--latin small letter o with stroke, = latin small letter o slash, U+00F8 ISOlat1 -->
+		<entity name="ugrave" cdata="&amp;#249;"/> <!--latin small letter u with grave, U+00F9 ISOlat1 -->
+		<entity name="uacute" cdata="&amp;#250;"/> <!--latin small letter u with acute, U+00FA ISOlat1 -->
+		<entity name="ucirc" cdata="&amp;#251;"/> <!--latin small letter u with circumflex, U+00FB ISOlat1 -->
+		<entity name="uuml" cdata="&amp;#252;"/> <!--latin small letter u with diaeresis, U+00FC ISOlat1 -->
+		<entity name="yacute" cdata="&amp;#253;"/> <!--latin small letter y with acute, U+00FD ISOlat1 -->
+		<entity name="thorn" cdata="&amp;#254;"/> <!--latin small letter thorn, U+00FE ISOlat1 -->
+		<entity name="yuml" cdata="&amp;#255;"/> <!--latin small letter y with diaeresis, U+00FF ISOlat1 -->
+		                                  
+		<entity name="fnof" cdata="&amp;#402;"/> <!--latin small f with hook = function = florin, U+0192 ISOtech -->
+		
+		<!-- Greek -->
+		<entity name="Alpha" cdata="&amp;#913;"/> <!--greek capital letter alpha, U+0391 -->
+		<entity name="Beta" cdata="&amp;#914;"/> <!--greek capital letter beta, U+0392 -->
+		<entity name="Gamma" cdata="&amp;#915;"/> <!--greek capital letter gamma, U+0393 ISOgrk3 -->
+		<entity name="Delta" cdata="&amp;#916;"/> <!--greek capital letter delta, U+0394 ISOgrk3 -->
+		<entity name="Epsilon" cdata="&amp;#917;"/> <!--greek capital letter epsilon, U+0395 -->
+		<entity name="Zeta" cdata="&amp;#918;"/> <!--greek capital letter zeta, U+0396 -->
+		<entity name="Eta" cdata="&amp;#919;"/> <!--greek capital letter eta, U+0397 -->
+		<entity name="Theta" cdata="&amp;#920;"/> <!--greek capital letter theta, U+0398 ISOgrk3 -->
+		<entity name="Iota" cdata="&amp;#921;"/> <!--greek capital letter iota, U+0399 -->
+		<entity name="Kappa" cdata="&amp;#922;"/> <!--greek capital letter kappa, U+039A -->
+		<entity name="Lambda" cdata="&amp;#923;"/> <!--greek capital letter lambda, U+039B ISOgrk3 -->
+		<entity name="Mu" cdata="&amp;#924;"/> <!--greek capital letter mu, U+039C -->
+		<entity name="Nu" cdata="&amp;#925;"/> <!--greek capital letter nu, U+039D -->
+		<entity name="Xi" cdata="&amp;#926;"/> <!--greek capital letter xi, U+039E ISOgrk3 -->
+		<entity name="Omicron" cdata="&amp;#927;"/> <!--greek capital letter omicron, U+039F -->
+		<entity name="Pi" cdata="&amp;#928;"/> <!--greek capital letter pi, U+03A0 ISOgrk3 -->
+		<entity name="Rho" cdata="&amp;#929;"/> <!--greek capital letter rho, U+03A1 -->
+		<!-- there is no Sigmaf, and no U+03A2 character either -->
+		<entity name="Sigma" cdata="&amp;#931;"/> <!--greek capital letter sigma, U+03A3 ISOgrk3 -->
+		<entity name="Tau" cdata="&amp;#932;"/> <!--greek capital letter tau, U+03A4 -->
+		<entity name="Upsilon" cdata="&amp;#933;"/> <!--greek capital letter upsilon,U+03A5 ISOgrk3 -->
+		<entity name="Phi" cdata="&amp;#934;"/> <!--greek capital letter phi,U+03A6 ISOgrk3 -->
+		<entity name="Chi" cdata="&amp;#935;"/> <!--greek capital letter chi, U+03A7 -->
+		<entity name="Psi" cdata="&amp;#936;"/> <!--greek capital letter psi,U+03A8 ISOgrk3 -->
+		<entity name="Omega" cdata="&amp;#937;"/> <!--greek capital letter omega,U+03A9 ISOgrk3 -->
+		
+		<entity name="alpha" cdata="&amp;#945;"/> <!--greek small letter alpha,U+03B1 ISOgrk3 -->
+		<entity name="beta" cdata="&amp;#946;"/> <!--greek small letter beta, U+03B2 ISOgrk3 -->
+		<entity name="gamma" cdata="&amp;#947;"/> <!--greek small letter gamma,U+03B3 ISOgrk3 -->
+		<entity name="delta" cdata="&amp;#948;"/> <!--greek small letter delta,U+03B4 ISOgrk3 -->
+		<entity name="epsilon" cdata="&amp;#949;"/> <!--greek small letter epsilon,U+03B5 ISOgrk3 -->
+		<entity name="zeta" cdata="&amp;#950;"/> <!--greek small letter zeta, U+03B6 ISOgrk3 -->
+		<entity name="eta" cdata="&amp;#951;"/> <!--greek small letter eta, U+03B7 ISOgrk3 -->
+		<entity name="theta" cdata="&amp;#952;"/> <!--greek small letter theta, U+03B8 ISOgrk3 -->
+		<entity name="iota" cdata="&amp;#953;"/> <!--greek small letter iota, U+03B9 ISOgrk3 -->
+		<entity name="kappa" cdata="&amp;#954;"/> <!--greek small letter kappa,U+03BA ISOgrk3 -->
+		<entity name="lambda" cdata="&amp;#955;"/> <!--greek small letter lambda, U+03BB ISOgrk3 -->
+		<entity name="mu" cdata="&amp;#956;"/> <!--greek small letter mu, U+03BC ISOgrk3 -->
+		<entity name="nu" cdata="&amp;#957;"/> <!--greek small letter nu, U+03BD ISOgrk3 -->
+		<entity name="xi" cdata="&amp;#958;"/> <!--greek small letter xi, U+03BE ISOgrk3 -->
+		<entity name="omicron" cdata="&amp;#959;"/> <!--greek small letter omicron, U+03BF NEW -->
+		<entity name="pi" cdata="&amp;#960;"/> <!--greek small letter pi, U+03C0 ISOgrk3 -->
+		<entity name="rho" cdata="&amp;#961;"/> <!--greek small letter rho, U+03C1 ISOgrk3 -->
+		<entity name="sigmaf" cdata="&amp;#962;"/> <!--greek small letter final sigma, U+03C2 ISOgrk3 -->
+		<entity name="sigma" cdata="&amp;#963;"/> <!--greek small letter sigma, U+03C3 ISOgrk3 -->
+		<entity name="tau" cdata="&amp;#964;"/> <!--greek small letter tau, U+03C4 ISOgrk3 -->
+		<entity name="upsilon" cdata="&amp;#965;"/> <!--greek small letter upsilon, U+03C5 ISOgrk3 -->
+		<entity name="phi" cdata="&amp;#966;"/> <!--greek small letter phi, U+03C6 ISOgrk3 -->
+		<entity name="chi" cdata="&amp;#967;"/> <!--greek small letter chi, U+03C7 ISOgrk3 -->
+		<entity name="psi" cdata="&amp;#968;"/> <!--greek small letter psi, U+03C8 ISOgrk3 -->
+		<entity name="omega" cdata="&amp;#969;"/> <!--greek small letter omega, U+03C9 ISOgrk3 -->
+		<entity name="thetasym" cdata="&amp;#977;"/> <!--greek small letter theta symbol, U+03D1 NEW -->
+		<entity name="upsih" cdata="&amp;#978;"/> <!--greek upsilon with hook symbol, U+03D2 NEW -->
+		<entity name="piv" cdata="&amp;#982;"/> <!--greek pi symbol, U+03D6 ISOgrk3 -->
+		
+		<!-- General Punctuation -->
+		<entity name="bull" cdata="&amp;#8226;"/> <!--bullet = black small circle, U+2022 ISOpub  -->
+		<!-- bullet is NOT the same as bullet operator, U+2219 -->
+		<entity name="hellip" cdata="&amp;#8230;"/> <!--horizontal ellipsis = three dot leader, U+2026 ISOpub  -->
+		<entity name="prime" cdata="&amp;#8242;"/> <!--prime = minutes = feet, U+2032 ISOtech -->
+		<entity name="Prime" cdata="&amp;#8243;"/> <!--double prime = seconds = inches, U+2033 ISOtech -->
+		<entity name="oline" cdata="&amp;#8254;"/> <!--overline = spacing overscore, U+203E NEW -->
+		<entity name="frasl" cdata="&amp;#8260;"/> <!--fraction slash, U+2044 NEW -->
+		
+		<!-- Letterlike Symbols -->
+		<entity name="weierp" cdata="&amp;#8472;"/> <!--script capital P = power set = Weierstrass p, U+2118 ISOamso -->
+		<entity name="image" cdata="&amp;#8465;"/> <!--blackletter capital I = imaginary part, U+2111 ISOamso -->
+		<entity name="real" cdata="&amp;#8476;"/> <!--blackletter capital R = real part symbol, U+211C ISOamso -->
+		<entity name="trade" cdata="&amp;#8482;"/> <!--trade mark sign, U+2122 ISOnum -->
+		<entity name="alefsym" cdata="&amp;#8501;"/> <!--alef symbol = first transfinite cardinal, U+2135 NEW -->
+		<!-- alef symbol is NOT the same as hebrew letter alef,
+		     U+05D0 although the same glyph could be used to depict both characters -->
+		
+		<!-- Arrows -->
+		<entity name="larr" cdata="&amp;#8592;"/> <!--leftwards arrow, U+2190 ISOnum -->
+		<entity name="uarr" cdata="&amp;#8593;"/> <!--upwards arrow, U+2191 ISOnum-->
+		<entity name="rarr" cdata="&amp;#8594;"/> <!--rightwards arrow, U+2192 ISOnum -->
+		<entity name="darr" cdata="&amp;#8595;"/> <!--downwards arrow, U+2193 ISOnum -->
+		<entity name="harr" cdata="&amp;#8596;"/> <!--left right arrow, U+2194 ISOamsa -->
+		<entity name="crarr" cdata="&amp;#8629;"/> <!--downwards arrow with corner leftwards
+		                                     = carriage return, U+21B5 NEW -->
+		<entity name="lArr" cdata="&amp;#8656;"/> <!--leftwards double arrow, U+21D0 ISOtech -->
+		
+		<!-- ISO 10646 does not say that lArr is the same as the 'is implied by' arrow
+		    but also does not have any other character for that function. So ? lArr can
+		    be used for 'is implied by' as ISOtech suggests -->
+		    
+		<entity name="uArr" cdata="&amp;#8657;"/> <!--upwards double arrow, U+21D1 ISOamsa -->
+		<entity name="rArr" cdata="&amp;#8658;"/> <!--rightwards double arrow, U+21D2 ISOtech -->
+		
+		<!-- ISO 10646 does not say this is the 'implies' character but does not have 
+		     another character with this function so ?
+		     rArr can be used for 'implies' as ISOtech suggests -->
+		     
+		<entity name="dArr" cdata="&amp;#8659;"/> <!--downwards double arrow, U+21D3 ISOamsa -->
+		<entity name="hArr" cdata="&amp;#8660;"/> <!--left right double arrow, U+21D4 ISOamsa -->
+		
+		<!-- Mathematical Operators -->
+		<entity name="forall" cdata="&amp;#8704;"/> <!--for all, U+2200 ISOtech -->
+		<entity name="part" cdata="&amp;#8706;"/> <!--partial differential, U+2202 ISOtech  -->
+		<entity name="exist" cdata="&amp;#8707;"/> <!--there exists, U+2203 ISOtech -->
+		<entity name="empty" cdata="&amp;#8709;"/> <!--empty set = null set = diameter,U+2205 ISOamso -->
+		<entity name="nabla" cdata="&amp;#8711;"/> <!--nabla = backward difference, U+2207 ISOtech -->
+		<entity name="isin" cdata="&amp;#8712;"/> <!--element of, U+2208 ISOtech -->
+		<entity name="notin" cdata="&amp;#8713;"/> <!--not an element of, U+2209 ISOtech -->
+		<entity name="ni" cdata="&amp;#8715;"/> <!--contains as member, U+220B ISOtech -->
+	
+		<!-- should there be a more memorable name than 'ni'? -->
+		<entity name="prod" cdata="&amp;#8719;"/> <!--n-ary product = product sign, U+220F ISOamsb -->
+		
+		<!-- prod is NOT the same character as U+03A0 'greek capital letter pi' though
+		     the same glyph might be used for both -->
+		     
+		<entity name="sum" cdata="&amp;#8721;"/> <!--n-ary sumation, U+2211 ISOamsb -->
+		
+		<!-- sum is NOT the same character as U+03A3 'greek capital letter sigma'
+		     though the same glyph might be used for both -->
+		
+		<entity name="minus" cdata="&amp;#8722;"/> <!--minus sign, U+2212 ISOtech -->
+		<entity name="lowast" cdata="&amp;#8727;"/> <!--asterisk operator, U+2217 ISOtech -->
+		<entity name="radic" cdata="&amp;#8730;"/> <!--square root = radical sign, U+221A ISOtech -->
+		<entity name="prop" cdata="&amp;#8733;"/> <!--proportional to, U+221D ISOtech -->
+		<entity name="infin" cdata="&amp;#8734;"/> <!--infinity, U+221E ISOtech -->
+		<entity name="ang" cdata="&amp;#8736;"/> <!--angle, U+2220 ISOamso -->
+		<entity name="and" cdata="&amp;#8743;"/> <!--logical and = wedge, U+2227 ISOtech -->
+		<entity name="or" cdata="&amp;#8744;"/> <!--logical or = vee, U+2228 ISOtech -->
+		<entity name="cap" cdata="&amp;#8745;"/> <!--intersection = cap, U+2229 ISOtech -->
+		<entity name="cup" cdata="&amp;#8746;"/> <!--union = cup, U+222A ISOtech -->
+		<entity name="int" cdata="&amp;#8747;"/> <!--integral, U+222B ISOtech -->
+		<entity name="there4" cdata="&amp;#8756;"/> <!--therefore, U+2234 ISOtech -->
+		<entity name="sim" cdata="&amp;#8764;"/> <!--tilde operator = varies with = similar to, U+223C ISOtech -->
+		
+		<!-- tilde operator is NOT the same character as the tilde, U+007E,
+		     although the same glyph might be used to represent both  -->
+		     
+		<entity name="cong" cdata="&amp;#8773;"/> <!--approximately equal to, U+2245 ISOtech -->
+		<entity name="asymp" cdata="&amp;#8776;"/> <!--almost equal to = asymptotic to, U+2248 ISOamsr -->
+		<entity name="ne" cdata="&amp;#8800;"/> <!--not equal to, U+2260 ISOtech -->
+		<entity name="equiv" cdata="&amp;#8801;"/> <!--identical to, U+2261 ISOtech -->
+		<entity name="le" cdata="&amp;#8804;"/> <!--less-than or equal to, U+2264 ISOtech -->
+		<entity name="ge" cdata="&amp;#8805;"/> <!--greater-than or equal to, U+2265 ISOtech -->
+		<entity name="sub" cdata="&amp;#8834;"/> <!--subset of, U+2282 ISOtech -->
+		<entity name="sup" cdata="&amp;#8835;"/> <!--superset of, U+2283 ISOtech -->
+		
+		<!-- note that nsup, 'not a superset of, U+2283' is not covered by the Symbol 
+		     font encoding and is not included. Should it be, for symmetry?
+		     It is in ISOamsn  --> 
+		
+		<entity name="nsub" cdata="&amp;#8836;"/> <!--not a subset of, U+2284 ISOamsn -->
+		<entity name="sube" cdata="&amp;#8838;"/> <!--subset of or equal to, U+2286 ISOtech -->
+		<entity name="supe" cdata="&amp;#8839;"/> <!--superset of or equal to, U+2287 ISOtech -->
+		<entity name="oplus" cdata="&amp;#8853;"/> <!--circled plus = direct sum, U+2295 ISOamsb -->
+		<entity name="otimes" cdata="&amp;#8855;"/> <!--circled times = vector product, U+2297 ISOamsb -->
+		<entity name="perp" cdata="&amp;#8869;"/> <!--up tack = orthogonal to = perpendicular, U+22A5 ISOtech -->
+		<entity name="sdot" cdata="&amp;#8901;"/> <!--dot operator, U+22C5 ISOamsb -->
+		<!-- dot operator is NOT the same character as U+00B7 middle dot -->
+		
+		<!-- Miscellaneous Technical -->
+		<entity name="lceil" cdata="&amp;#8968;"/> <!--left ceiling = apl upstile, U+2308 ISOamsc  -->
+		<entity name="rceil" cdata="&amp;#8969;"/> <!--right ceiling, U+2309 ISOamsc  -->
+		<entity name="lfloor" cdata="&amp;#8970;"/> <!--left floor = apl downstile, U+230A ISOamsc  -->
+		<entity name="rfloor" cdata="&amp;#8971;"/> <!--right floor, U+230B ISOamsc  -->
+		<entity name="lang" cdata="&amp;#9001;"/> <!--left-pointing angle bracket = bra, U+2329 ISOtech -->
+		<!-- lang is NOT the same character as U+003C 'less than' 
+		     or U+2039 'single left-pointing angle quotation mark' -->
+		<entity name="rang" cdata="&amp;#9002;"/> <!--right-pointing angle bracket = ket, U+232A ISOtech -->
+		<!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single right-pointing angle quotation mark' -->
+		
+		<!-- Geometric Shapes -->
+		<entity name="loz" cdata="&amp;#9674;"/> <!--lozenge, U+25CA ISOpub -->
+		
+		<!-- Miscellaneous Symbols -->
+		<entity name="spades" cdata="&amp;#9824;"/> <!--black spade suit, U+2660 ISOpub -->
+		<!-- black here seems to mean filled as opposed to hollow -->
+		<entity name="clubs" cdata="&amp;#9827;"/> <!--black club suit = shamrock, U+2663 ISOpub -->
+		<entity name="hearts" cdata="&amp;#9829;"/> <!--black heart suit = valentine, U+2665 ISOpub -->
+		<entity name="diams" cdata="&amp;#9830;"/> <!--black diamond suit, U+2666 ISOpub -->
+		
+		<entity name="quot" cdata="&amp;#34;"  /> <!--quotation mark = APL quote, U+0022 ISOnum -->
+		<!-- Latin Extended-A -->
+		<entity name="OElig" cdata="&amp;#338;" /> <!--latin capital ligature OE, U+0152 ISOlat2 -->
+		<entity name="oelig" cdata="&amp;#339;" /> <!--latin small ligature oe, U+0153 ISOlat2 -->
+		<!-- ligature is a misnomer, this is a separate character in some languages -->
+		<entity name="Scaron" cdata="&amp;#352;" /> <!--latin capital letter S with caron, U+0160 ISOlat2 -->
+		<entity name="scaron" cdata="&amp;#353;" /> <!--latin small letter s with caron, U+0161 ISOlat2 -->
+		<entity name="Yuml" cdata="&amp;#376;" /> <!--latin capital letter Y with diaeresis, U+0178 ISOlat2 -->
+		
+		<!-- Spacing Modifier Letters -->
+		<entity name="circ" cdata="&amp;#710;" /> <!--modifier letter circumflex accent, U+02C6 ISOpub -->
+		<entity name="tilde" cdata="&amp;#732;" /> <!--small tilde, U+02DC ISOdia -->
+		
+		<!-- General Punctuation -->
+		<entity name="ensp" cdata="&amp;#8194;"/> <!--en space, U+2002 ISOpub -->
+		<entity name="emsp" cdata="&amp;#8195;"/> <!--em space, U+2003 ISOpub -->
+		<entity name="thinsp" cdata="&amp;#8201;"/> <!--thin space, U+2009 ISOpub -->
+		<entity name="zwnj" cdata="&amp;#8204;"/> <!--zero width non-joiner, U+200C NEW RFC 2070 -->
+		<entity name="zwj" cdata="&amp;#8205;"/> <!--zero width joiner, U+200D NEW RFC 2070 -->
+		<entity name="lrm" cdata="&amp;#8206;"/> <!--left-to-right mark, U+200E NEW RFC 2070 -->
+		<entity name="rlm" cdata="&amp;#8207;"/> <!--right-to-left mark, U+200F NEW RFC 2070 -->
+		<entity name="ndash" cdata="&amp;#8211;"/> <!--en dash, U+2013 ISOpub -->
+		<entity name="mdash" cdata="&amp;#8212;"/> <!--em dash, U+2014 ISOpub -->
+		<entity name="lsquo" cdata="&amp;#8216;"/> <!--left single quotation mark, U+2018 ISOnum -->
+		<entity name="rsquo" cdata="&amp;#8217;"/> <!--right single quotation mark, U+2019 ISOnum -->
+		<entity name="sbquo" cdata="&amp;#8218;"/> <!--single low-9 quotation mark, U+201A NEW -->
+		<entity name="ldquo" cdata="&amp;#8220;"/> <!--left double quotation mark, U+201C ISOnum -->
+		<entity name="rdquo" cdata="&amp;#8221;"/> <!--right double quotation mark, U+201D ISOnum -->
+		<entity name="bdquo" cdata="&amp;#8222;"/> <!--double low-9 quotation mark, U+201E NEW -->
+		<entity name="dagger" cdata="&amp;#8224;"/> <!--dagger, U+2020 ISOpub -->
+		<entity name="Dagger" cdata="&amp;#8225;"/> <!--double dagger, U+2021 ISOpub -->
+		<entity name="permil" cdata="&amp;#8240;"/> <!--per mille sign, U+2030 ISOtech -->
+		<entity name="lsaquo" cdata="&amp;#8249;"/> <!--single left-pointing angle quotation mark, U+2039 ISO proposed -->
+		<!-- lsaquo is proposed but not yet ISO standardized -->
+		<entity name="rsaquo" cdata="&amp;#8250;"/> <!--single right-pointing angle quotation mark, U+203A ISO proposed -->
+		<!-- rsaquo is proposed but not yet ISO standardized -->
+		<entity name="euro" cdata="&amp;#8364;" /> <!--euro sign, U+20AC NEW -->
+	</html-entities>
+
+</anti-samy-rules>

From 08e53af9103afb823ca2576cb2aff3b9c639b40b Mon Sep 17 00:00:00 2001
From: HJW8472 <koos.wiegman@nl.abnamro.com>
Date: Thu, 2 Jul 2020 08:22:22 +0200
Subject: [PATCH 7/7] Updated-ESAPI.properties-with-comment

---
 configuration/esapi/ESAPI.properties | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index 7ac0fb9d3..bafe1e38c 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -535,3 +535,10 @@ Validator.AcceptLenientDates=false
 #
 #Validator.HtmlValidationAction=clean
 Validator.HtmlValidationAction=throw
+
+# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath
+# also an enhancement was made to be able to use a different filename for the configuration.
+# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml.
+# This is the default behaviour of ESAPI.
+#
+#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml