OWASP HTML Sanitizer cleans comments

[Володимир Ригель]

Hi,

I have application where customer can store following html lines in order to load different styles for actual browser:

    <!--[if IE 6]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie6.css"><![endif]--> 

    <!--[if IE 7]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie7.css"><![endif]--> 

    <!--[if IE 8]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie8.css"><![endif]--> 

Also I've configured `OWASP policy` to disallow malicious html tags in following way:

    new HtmlPolicyBuilder().allowElements("link").allowAttributes("rel", "type", "media", "href").onElements("link").toFactory();

But after sanitation "if browser lines" are dropped.

Could you please suggest how to configure policy in order to allow storing such content?

Regards,

Volodymyr

[Jim Manico]

HTML Comments have a variety of historical security issues so they are not supported.

This tool is to sanitize WYSIWYG content from TinyMCE and similar. Plus ie6 is a very end-of-life browser which we do not test on or support.

You may wish to give the JSoup project a try; I don't think we're the best path for your use case.

Respectfully,

Jim

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.