Simplify policies that require constraints on a URL based on its protocol about java-html-sanitizer HOT 6 OPEN

Bump to revisit.

from java-html-sanitizer.

I would love an abbreviation for this, too.

Could you please help me out getting this to work:

	private static final PolicyFactory htmlSanitizer = new HtmlPolicyBuilder()
	        .allowUrlProtocols("data", "https", "http", "mailto")
	        .allowAttributes("src")
	        .matching(Pattern.compile("^(data:image/(gif|png|jpeg)[,;]|http|https|mailto|//)", Pattern.CASE_INSENSITIVE))
	        .onElements("img")
	        .toFactory()
	        .and(Sanitizers.IMAGES)
	        .and(Sanitizers.BLOCKS);

	public static void main(String[] args) {
		System.out.println(HtmlSanitize("<img src=\"data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o\" /><p>test</p>"));
	}

I get <p>test</p> here, but the embedded image is missing. Changing src="data to src="http however works. What am I doing wrong?

from java-html-sanitizer.

Got it to work:

	private static final PolicyFactory htmlImageSanitizer = new HtmlPolicyBuilder()
	        .allowUrlProtocols("data", "http", "https")
	        .allowElements("img")
	        .allowAttributes("src")
	        .matching(Pattern.compile("^(data:image/(gif|png|jpeg)[,;]|http|https|mailto|//).+", Pattern.CASE_INSENSITIVE))
	        .onElements("img")
	        .toFactory();
	private static final PolicyFactory htmlSanitizer = htmlImageSanitizer.and(Sanitizers.BLOCKS).and(Sanitizers.FORMATTING).and(Sanitizers.LINKS).and(Sanitizers.STYLES).and(Sanitizers.TABLES);

from java-html-sanitizer.

Your solution seems complicated but the API doesn't obviously allow for a better way, so it's probably the API's fault.

There seem to be some separable concerns here:

• It's hard to restrict data URLs to particular mime-types.
• It's hard to restrict URLs to some attributes and not others.

I think the first problem is a symptom of a larger problem: it's hard to match URLs.
If we had a way to specify a concisely specify a set of URLs, then we could solve the second problem via an API like

    allowAttributes("src")
    .matchingUrls(...)
    .onElements("img")

where the ... encapsulates (http, https, or data with content-type in image/(gif|png|jpeg)).

What do you think of https://gist.github.com/mikesamuel/e9720a0acc0601372deba3bf0896f33a as a proposed API for solving the larger problem?

_{^{Note to self: I'm finding excuses to write specifications, so I should probably figure out what work I'm subconsciously avoiding and do it.}}

from java-html-sanitizer.

Your API would be great at this point and definitely its implementation would be worth the effort.

from java-html-sanitizer.

https://github.com/OWASP/url-classifier is an experimental URL classifier API based on that gist.

#126 integrates it into java-html-sanitizer.

Neither is ready for prime-time yet, but you can play around.

from java-html-sanitizer.