sanitize is overkilling my html

[agustin....@patagoniansys.com]

Hi:

I'm trying to sanitze the html generated by a WYSWYG editor (http://hackerwins.github.io/summernote/), but the sanitize() is cleaning all the html tags. I'm doing this:

PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS.and(Sanitizers.STYLES.and(Sanitizers.LINKS)))

sanitizer.sanitize(unsafeHtml)

Source string:

"<span style="font-weight: bold; text-decoration: underline; background-color: yellow;">aaaaaaaaaaaaaaaaaaaaaaa</span>"

Result:

aaaaaaaaaaaaaaaaaaaaaaa

I'm doing something wrong? For what i've read, the standard sanitizers should be enough in this case

[Mike Samuel]

This looks like a bug. Sanitizers.STYLES doesn't work as advertised,
so the style="..." attribute is rejected out of hand, and <span> is
one of the elements that is, by default, stripped when it has no
attributes.

I'm looking into a fix and will respond to this thread when I know more.

I repeated the problem using:

PolicyFactory sanitizer = Sanitizers.FORMATTING
.and(Sanitizers.BLOCKS)
.and(Sanitizers.STYLES)
.and(Sanitizers.LINKS);
String input = "<span style=\"font-weight: bold;"
+ " text-decoration: underline; background-color: yellow;\""
+ ">aaaaaaaaaaaaaaaaaaaaaaa</span>";
String got = sanitizer.sanitize(input);
String want = input;
assertEquals(want, got);

[Jim Manico]

I dropped this bug into the issue tracker.

https://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=28

Thanks for the bug report!

Cheers,
Jim

[agustin....@patagoniansys.com]

solved the problem using a custom policy that allow spans 

[Jim Manico]

Fantastic! Thanks again for taking the time to report the bug to us.

Aloha,
Jim

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.