Comments (4)
Also i care about "src" tag
in case of
<DIV STYLE="border-image: url(images/javascript.png) 30 round round;">
i shuld make this check:
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("p")
.allowElements(new ElementPolicy() {
public String apply(String elementName, List<String> attrs) {
StylingPolicy sp = new StylingPolicy();
sp.allowCSSProperty("color");
sp.addCssPropertyCheker(new CSSPropertyChecker(){
boolean includeThisProperty(String propertyName, String properyValue){
CSSPropertyValue prop = new CSSPropertyValue(properyValue);
if(prop.isURLResource()){
CSSPropertyURL urlProp = new CSSPropertyURL(prop);
if(!urlProp.getDomain().equals(MY_DOMAIN)){
// css resource from third party domain
return false;// dissalow
} else {
return true;
}
}
if (prop.isExpression()){
// dissalow like: width: expression(alert('XSS'));
return false;
}
return true;
}
}, List.Of("border-image"));
sp.applyTo(attrs);
return elementName;
}
},TagsSet.ALLOWED)
.build();
String safeHTML = policy.sanitize(untrustedHTML);
to prevent both "expression" and resource in css url from 3-party domain/
Original comment by [email protected]
on 19 Jun 2013 at 2:23
from java-html-sanitizer.
and dont forget that some css properties can have multiple values
Original comment by [email protected]
on 19 Jun 2013 at 2:25
from java-html-sanitizer.
Also what about < style > tag? Shuld this allow styles from users? In case of
WYSIWYG there are some styles, that should be allowed. In general there must be
element style perser.
Original comment by [email protected]
on 19 Jun 2013 at 2:56
from java-html-sanitizer.
Please ask questions on the mailing list, not in the issue list.
https://groups.google.com/forum/?fromgroups#!forum/owasp-java-html-sanitizer-sup
port
Original comment by [email protected]
on 19 Jun 2013 at 10:14
- Changed state: Invalid
from java-html-sanitizer.
Related Issues (20)
- xxx-large font-size is discarded when allowStyling() is used HOT 6
- Issue while disallowing attributes matching pattern
- Remove malicious code from svg content HOT 1
- Encoding malicious code instead of removing it HOT 4
- Index out of bound when empty list is passed to `allowAttributes(...).globally()`
- Guava removal breaks compatibility (with JDK9) HOT 13
- Html sanitizer repeatedly adds rel="noopener noreferrer" even if it's pre-exist HOT 1
- SECURITY.MD currently does not contain sensible information
- Sanitizing CSS HOT 3
- ClassNotFoundException: org.owasp.shim.Java8Shim after update to 20240325.1 HOT 5
- Release 20240325 cannot be transpiled HOT 1
- Issue in 2024x version with styles
- Question: What means Recognize foreign content syntactic context: mathml / svg?
- Issues encountered while processing <a> tags
- rel attributes are reordered in 20220608.1
- Possible to enforce having mutliple attributes on tag?
- On Java8Shim class, better to catch Throwable instead of Error
- text-align literals are outdated
- Please build the Java8/10 shim classes into the sanitizer JAR
- Issue with HTML Sanitization: Improper Handling of <div> Tag Inside <table>
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-html-sanitizer.