Comments (9)
jmanico
commented on August 16, 2024
Bump to revisit. Mike, perhaps just give me one complex example and I'll use it to flesh out the docs.
from java-html-sanitizer.
pickle-weasle
commented on August 16, 2024
Can't this be achieved with just
this.policy = this.policy.allowUrlProtocols("tel","data");
In the readme there is the following:
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.toFactory();
String safeHTML = policy.sanitize(untrustedHTML);
It's hardly much of a stretch to figure how to change that for other protocols.
Could this be closed?
from java-html-sanitizer.
DavesMan
commented on August 16, 2024
Can't this be achieved with just
this.policy = this.policy.allowUrlProtocols("tel","data");
In the readme there is the following:
No. I have allowUrlProtocols("mailto", "javascript", "tel", "https") and this allows https and mailto. But tel & javascript gets stripped.
from java-html-sanitizer.
mikesamuel
commented on August 16, 2024
I put together #126 to try to fill this gap. It integrates a URL classifier engine that lets you express predicates over URLs like
/** We define a classifier with a declarative syntax */
static final UrlClassifier CLASSIFIER = UrlClassifiers.builder()
// We want to allow HTTP and HTTPS for this example
.scheme(BuiltinScheme.HTTP, BuiltinScheme.HTTPS)
.authority(
AuthorityClassifiers.builder()
// We whitelist some subdomains of hosts we trust.
.host("**.example.com", "**.example.net")
.build())
// We allow access to .html files
.pathGlob("**.html")
.build();I haven't integrated it because I don't know if anyone needs that level of flexibility.
It does have better support for data and tel URLs.
If that looks useful, I can move that in.
from java-html-sanitizer.
DavesMan
commented on August 16, 2024
Seems it could save a lot of "custom" work. No I also do some substring and regex checks of URLs using apply method of ElementPolicy.
from java-html-sanitizer.
mikesamuel
commented on August 16, 2024
This issue is about docs and examples.
If you have a problem with mis-encoding of tel: URLs could you open a new issue with an example of a tel: URL which is mis-encoded.
from java-html-sanitizer.
jmanico
commented on August 16, 2024
There is no hostility in this thread that I see. We mean well.
from java-html-sanitizer.
mikesamuel
commented on August 16, 2024
I'm trying to fit my pro-bono work, including this project, in between a lot of other stuff. Sorry if I was abrupt, but I have no hostility towards you.
https://greatergood.berkeley.edu/article/item/six_tips_for_reading_emotions_in_text_messages
Keep in mind that texts are a difficult medium for communicating emotion. We have no facial expressions, or tone of voice, or conversation to give us more information.
If the text doesn’t say, “I’m angry,” then don’t assume that the texter is angry.
I have not read the tel: RFC recently. It would help out if you could provide an example of what you want. Yes, scope creep in issues happens, and it's happened in this thread. It would help me out again though if, something with a concrete success case could happen in a thread that's narrowly tailored, or in the PR comments.
If issue #22 is where you want to discuss it that's great. Recency doesn't matter to me.
What I am asking is whether you had given any thought to protocol-dependent escaping of characters in the above PR.
That PR includes TEL as a BuiltinScheme:
Scheme's control how raw parts are composed into a string.
I don't know if I got that correct, because I've not seen a failing testcase. https://github.com/OWASP/url-classifier/blob/master/src/test/java/org/owasp/url/UrlValueTest.java has tests for encoding of percents so that, e.g. javascript:alert(9 % 2) doesn't have % reencoded to %22 but it doesn't have many tel: examples.
from java-html-sanitizer.
jmiserez
commented on August 16, 2024
I have misinterpreted your response and I apologize. I must admit my initial comment concerning the PR wasn't too clear either.
Thank you for your detailed response, the part concerning javascript escaping is especially relevant and helpful in this context.
I'll try out the test cases and the classifier library in more detail and comment with a test case once I have something more tangible.
from java-html-sanitizer.
Related Issues (20)
- Question: How to not escape characters in plain text
- Incorrect escaping for inline svg+xml data image
- Clarify which BSD license applies
- Encoding.encodeHtmlAttribOnto visibility
- Allow disabling the default attribute guards from HtmlPolicyBuilder
- "<" symbol with text inputs getting cleared, after applied the sanitize HOT 3
- independent attribute auto add value
- Behaviour with malformed HTML Input
- How to customize the policy after defining the policy.
- noopener noreferrer getting added every time even if "noopener noreferrer" already exist HOT 4
- org.springframework.web.multipart.support.MissingServletRequestPartException: Required request part 'issueModel' is not present HOT 1
- <span> elements get removed even when allowed by the policy HOT 2
- bug: closing tag for </html> misplaced HOT 1
- Vulnerable dependency guava:30.1.jre HOT 3
- Licensing issue: BSD-3-Clause or BSD-2-Clause? HOT 1
- Sanitizer converting font names in 'style' attribute value to lower case
- CSS property `overflow-wrap` not included in CssSchema definition list
- xxx-large font-size is discarded when allowStyling() is used HOT 6
- Issue while disallowing attributes matching pattern
- Remove malicious code from svg content HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-html-sanitizer.