should not be changed to a space about java-html-sanitizer HOT 9 CLOSED

in the HtmlSanitizer text gets decoded. this should not be done when sanitizing or be optional:

in the sanitize method:

    case TEXT:
      balancer.text(
          Encoding.decodeHtml(html.substring(token.start, token.end)));

from java-html-sanitizer.

Duplicate of issue 30.

from java-html-sanitizer.

If you're going to do string comparison, instead of doing

String inputString = ...;
String sanitizedString = HTMLSanitizer.sanitize(inputString, myPolicy);
if (inputString.equals(sanitizedString)) {
  // Assume no tags or attributes rejected
} else {
  // Assume some tags or attributes rejected
}

why not do

String inputString = ...;
String normalizedString = HTMLSanitizer.sanitize(inputString, policyThatAllowsEverything);
String sanitizedString = HTMLSanitizer.sanitize(inputString, myPolicy);
if (normalizedString.equals(sanitizedString)) {
  // Assume no tags or attributes rejected
} else {
  // Assume some tags or attributes rejected
}

?

That should make your equality test independent of any changes in the way text nodes are represented.

from java-html-sanitizer.

thanks that is a smart work around for the problem of giving feedback. the spaces and &nbsp i could find and replace after the sanitization.

i talked to our pen testers and they don't see the need for the text encoding as long as the tags are removed. i also spoke to our db-er and he was very unhappy with the encoding as then he would need to expend all the fields 5 times to accommodate the longer texts.
so i think i still will remove the encoding

from java-html-sanitizer.

for others: apart from the work around from mikesamuel you can alse use the HtmlChangeListener to track removed tags like this:

public class MyHtmlChangeListener implements HtmlChangeListener<List<String>> {
  public void discardedTag(List<String> context, String elementName) {
    if (context != null) {
        context.add(elementName);
    }
  }

  public void discardedAttributes(List<String> context, String tagName, String... attributeNames) {
    for (String attributeName : attributeNames) {
        if (context != null) {
            context.add(attributeName);
        }
    }
  }
}

from java-html-sanitizer.

so i think i still will remove the encoding

Fair enough. When you fork, I'd appreciate if you'd change the package from org.owasp to avoid confusion with the OWASP endorsed version.

I also won't be held responsible for informing forks of emerging threats, so you'll have to track those yourself.

from java-html-sanitizer.

yes thanks. i have to check if i'm allowed to add my code into the public domain.

from java-html-sanitizer.

yes thanks. i have to check if i'm allowed to add my code into the public domain.

I think "public domain" has a specific legal meaning. This project is not public domain; it has been released under the Apache 2 license and section 4 specifies obligations related to redistribution of modifications.

from java-html-sanitizer.

mmm yes you are right... maybe i'm not allowed to change it than. i will let the project manager think about that 😄

from java-html-sanitizer.