Probably strange behavior.

Johannes Lichtenberger

unread,

May 22, 2014, 9:52:29 AM5/22/14

to owasp-java-html-...@googlegroups.com

Hello,

I want to sanitize the following string:

xss<a href="http://www.google.de" style="color:red;" onmouseover=alert(1) onmousemove="alert(2) onclick=alert(3)>google</a>

With the following it shouldn't replace "style=""" with "" that is the style=""-Attribut should be preserved, I guesss.

        final PolicyFactory l_policy;

        l_policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.STYLES);

        return l_policy.sanitize(l_untrustedHTML);

However the sanitized String is:
        xss<a href="http://www.google.de" rel="nofollow"></a>

kind regards
Johannes

Mike Samuel

unread,

May 22, 2014, 2:08:58 PM5/22/14

to owasp-java-html-...@googlegroups.com

What version are you using?

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Johannes Lichtenberger

unread,

May 23, 2014, 2:39:49 AM5/23/14

to owasp-java-html-...@googlegroups.com, mikes...@gmail.com

Am Donnerstag, 22. Mai 2014 20:08:58 UTC+2 schrieb Mike Samuel:

What version are you using?

I'm using the one from the Zip[1] (2.26!?).

[1] https://code.google.com/p/owasp-java-html-sanitizer/downloads/detail?name=owasp-java-html-sanitizer-r226.zip&can=2&q=

Johannes Lichtenberger

unread,

May 26, 2014, 8:03:46 AM5/26/14

to owasp-java-html-...@googlegroups.com, mikes...@gmail.com

Its fixed in the most recent JAR :-)

kind regards
Johannes

Reply all

Reply to author

Forward