Johanna,
You should not be using the HTML sanitizer to sanitize just a color, that's standard validation.
This tool should be used to validation chunks of HTML from web WYSIWYG or textarea.
The test should include a textarea and a submit button.
(1) The textarea is for attackers or bug bounty folk to enter in any HTML.
(2) That HTML should then be run through the HTML sanitizer
(3) That sanitized HTML should then be displayed back at the user. If there is any XSS after the sanitized code is displayed, then you have a bypass for the tool.
I suggest you use one of the default "ebay" and "slashdot"
policies. The Slashdot policy (defined here
https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/SlashdotPolicyExample.java)
allows the following tags ("a", "p", "div", "i", "b", "em",
"blockquote", "tt", "strong"n "br", "ul", "ol", "li") and only
certain attributes. This policy also allows for the custom
slashdot tags, "quote" and "ecode".
Your server side code should look like this if you want to build
your own policy.
PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(request.getParameter("data_entry")); <%= safeHTML %> You're UI should just be a form with a textarea named "data_entry" and a submit button. Cheers, Jim
-- You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
-- Jim Manico Manicode Security https://www.manicode.com