Comments (3)
This looks like a legit bug.
My guess is that something like this happens:
- The code that eliminates "useless" tags like
<img>
eliminates the<span>
, so it is never entering it on the stack of open elements. - Then the first
</span>
is assumed to match up with the non-empty<span style="...">
. - Finally the second
</span>
matches no open<span>
so is dropped on the floor.
This code that handles works well to prevent broken image pictures when a
src="..."is banned. IIRC, ESAPI also dropped
` and I did as well trying to be compatible by default.
There's no need for that compatibility though.
I see 2 possible fixes.
- Insert eliminated tags onto the stack of open tags but marked so that we know to drop the corresponding close tag instead of eliminating it.
- Remove tags from the default MUST_HAVE_ATTRIBUTES that can have an end tag.
(1) sounds generally useful from a preserving intent-of-input point of view.
Perhaps the code that eliminates text nodes inside eliminated <script>
, <style>
, <iframe>
, <object>
elements could be rewritten to check containment based on such phantom elements on the stack.
Since none of those contain tag content, checking the top of the stack is cheap, and then the test becomes whether the top of the stack falls in a set of tags that are defined as display:none in browser stylesheets.
from java-html-sanitizer.
Fixed at 2b3f0aa
from java-html-sanitizer.
I'd like to know how we can have end tags which don't have an open tag eliminated or cause the HtmlChangeListener to emit a message telling us that there was an ending tag without a starting tag.
from java-html-sanitizer.
Related Issues (20)
- xxx-large font-size is discarded when allowStyling() is used HOT 6
- Issue while disallowing attributes matching pattern
- Remove malicious code from svg content HOT 1
- Encoding malicious code instead of removing it HOT 4
- Index out of bound when empty list is passed to `allowAttributes(...).globally()`
- Guava removal breaks compatibility (with JDK9) HOT 13
- Html sanitizer repeatedly adds rel="noopener noreferrer" even if it's pre-exist HOT 1
- SECURITY.MD currently does not contain sensible information
- Sanitizing CSS HOT 3
- ClassNotFoundException: org.owasp.shim.Java8Shim after update to 20240325.1 HOT 5
- Release 20240325 cannot be transpiled HOT 1
- Issue in 2024x version with styles
- Question: What means Recognize foreign content syntactic context: mathml / svg?
- Issues encountered while processing <a> tags
- rel attributes are reordered in 20220608.1
- Possible to enforce having mutliple attributes on tag?
- On Java8Shim class, better to catch Throwable instead of Error
- text-align literals are outdated
- Please build the Java8/10 shim classes into the sanitizer JAR
- Issue with HTML Sanitization: Improper Handling of <div> Tag Inside <table>
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-html-sanitizer.