Ready baked table-policy
44 views
Skip to first unread message
Johannes Lichtenberger
Jun 12, 2014, 3:51:36 AM6/12/14
to owasp-java-html-...@googlegroups.com
Hello,
do you know if anyone has written a policy to allow table-elements (as well as other descendant elements and attributes). Otherwise probably I'll just extract the parts of the ebay policy example.
kind regards
Johannes
do you know if anyone has written a policy to allow table-elements (as well as other descendant elements and attributes). Otherwise probably I'll just extract the parts of the ebay policy example.
kind regards
Johannes
Johannes Lichtenberger
Jun 12, 2014, 4:48:40 AM6/12/14
to owasp-java-html-...@googlegroups.com
With the following code[1], somehow the ElementAndAttributePolicies-instance is null in:
public void openTag(String elementName, List<String> attrs) {
// StylingPolicy repeats some of this code because it is more complicated
// to refactor it into multiple method bodies, so if you change this,
// check the override of it in that class.
ElementAndAttributePolicies policies = elAndAttrPolicies.get(elementName);
That is the key (elementName) exists but no associated policies (plus I'm just doing an intersection with all Sanitizers policies) and thus the table-element is stripped.
[1] http://pastebin.com/5e3nHRnV
public void openTag(String elementName, List<String> attrs) {
// StylingPolicy repeats some of this code because it is more complicated
// to refactor it into multiple method bodies, so if you change this,
// check the override of it in that class.
ElementAndAttributePolicies policies = elAndAttrPolicies.get(elementName);
That is the key (elementName) exists but no associated policies (plus I'm just doing an intersection with all Sanitizers policies) and thus the table-element is stripped.
[1] http://pastebin.com/5e3nHRnV
Mike Samuel
Jun 12, 2014, 8:19:36 AM6/12/14
to owasp-java-html-...@googlegroups.com
I could add TABLES to sanitizers.
Elements: <table>, <tr>, <td>, <th>, <tbody>, <tfoot>, <thead>,
<caption>, <colgroup>
Attributes align, valign, colspan, rowspan, cols, and rows as
appropriate for the above?
2014-06-12 4:48 GMT-04:00 Johannes Lichtenberger
<lichtenberg...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Elements: <table>, <tr>, <td>, <th>, <tbody>, <tfoot>, <thead>,
<caption>, <colgroup>
Attributes align, valign, colspan, rowspan, cols, and rows as
appropriate for the above?
2014-06-12 4:48 GMT-04:00 Johannes Lichtenberger
<lichtenberg...@gmail.com>:
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Johannes Lichtenberger
Jun 12, 2014, 8:31:00 AM6/12/14
to owasp-java-html-...@googlegroups.com, mikes...@gmail.com
Thanks, yes I guess so. I think eventually I have to write a serializer / deserializer for a custom policy as we used a whitefilter based approach before (which really was a bad idea in the first place). I guess our customers use a lot of HTML code... at least with TinyMCE (but in this case I'm not even sure if Xss protection is always used).
However, a policy in Sanitizers to allow table elements would be a great start.
kind regards
Johannes
However, a policy in Sanitizers to allow table elements would be a great start.
kind regards
Johannes
Johannes Lichtenberger
Jun 12, 2014, 8:53:16 AM6/12/14
to owasp-java-html-...@googlegroups.com, mikes...@gmail.com
Oh, but just out of interest. Do you know what's wrong with the other policy I provided?
Reply all
Reply to author
Forward
0 new messages