Can I whitelist a set of domains for use in URLs?

68 views
Skip to first unread message

jer...@autoap.com

unread,
Jun 25, 2014, 11:22:17 AM6/25/14
to owasp-java-html-...@googlegroups.com
I have a requirement to allow img elements, but only if their src attributes are either relative or originate from a few domains that I have whitelisted.

Can the OWASP sanitizer handle that?  If not, are there any suggested approaches to dealing with this type of requirement? 

Mike Samuel

unread,
Jun 26, 2014, 8:55:17 AM6/26/14
to owasp-java-html-...@googlegroups.com
https://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/main/org/owasp/html/examples/EbayPolicyExample.java#141
shows an example
.allowAttributes("href").matching(ONSITE_OR_OFFSITE_URL)
.onElements("a")

You can replace ONSITE_OR_OFFSITE_URL with a java.util.regex.Pattern
or Predicate<String> of your choosing.

I need to make it easier to generate matchers for URLs based on
properties like origin since that's a bit of a black art.

Using a Predicate<String> with java.net.URI would help you isolate the
authority part. Let me know if you need help phrasing a
predicate/regex solution.
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages