Issue 28 in owasp-java-html-sanitizer: Sanitizers.STYLES not working as advertised
52 views
Skip to first unread message
owasp-java-h...@googlecode.com
Apr 30, 2014, 3:04:49 PM4/30/14
to owasp-java-html-...@googlegroups.com
Status: New
Owner: j...@manico.net
Labels: Type-Defect Priority-Medium
New issue 28 by j...@manico.net: Sanitizers.STYLES not working as advertised
http://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=28
> I'm trying to sanitze the html generated by a WYSWYG editor
> (http://hackerwins.github.io/summernote/), but the sanitize() is cleaning
> all the html tags. I'm doing this:
> PolicyFactory sanitizer =
> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS.and(Sanitizers.STYLES.and(Sanitizers.LINKS)))
> sanitizer.sanitize(unsafeHtml)
> Source string:
> "<span style="font-weight: bold; text-decoration: underline;
> background-color: yellow;">aaaaaaaaaaaaaaaaaaaaaaa</span>"
> Result:
> aaaaaaaaaaaaaaaaaaaaaaa
> I'm doing something wrong? For what i've read, the standard sanitizers
> should be enough in this case
This looks like a bug. Sanitizers.STYLES doesn't work as advertised,
so the style="..." attribute is rejected out of hand, and <span> is
one of the elements that is, by default, stripped when it has no
attributes.
I'm looking into a fix and will respond to this thread when I know more.
I repeated the problem using:
PolicyFactory sanitizer = Sanitizers.FORMATTING
.and(Sanitizers.BLOCKS)
.and(Sanitizers.STYLES)
.and(Sanitizers.LINKS);
String input = "<span style=\"font-weight: bold;"
+ " text-decoration: underline; background-color: yellow;\""
+ ">aaaaaaaaaaaaaaaaaaaaaaa</span>";
String got = sanitizer.sanitize(input);
String want = input;
assertEquals(want, got);
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: j...@manico.net
Labels: Type-Defect Priority-Medium
New issue 28 by j...@manico.net: Sanitizers.STYLES not working as advertised
http://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=28
> I'm trying to sanitze the html generated by a WYSWYG editor
> (http://hackerwins.github.io/summernote/), but the sanitize() is cleaning
> all the html tags. I'm doing this:
> PolicyFactory sanitizer =
> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS.and(Sanitizers.STYLES.and(Sanitizers.LINKS)))
> sanitizer.sanitize(unsafeHtml)
> Source string:
> "<span style="font-weight: bold; text-decoration: underline;
> background-color: yellow;">aaaaaaaaaaaaaaaaaaaaaaa</span>"
> Result:
> aaaaaaaaaaaaaaaaaaaaaaa
> I'm doing something wrong? For what i've read, the standard sanitizers
> should be enough in this case
This looks like a bug. Sanitizers.STYLES doesn't work as advertised,
so the style="..." attribute is rejected out of hand, and <span> is
one of the elements that is, by default, stripped when it has no
attributes.
I'm looking into a fix and will respond to this thread when I know more.
I repeated the problem using:
PolicyFactory sanitizer = Sanitizers.FORMATTING
.and(Sanitizers.BLOCKS)
.and(Sanitizers.STYLES)
.and(Sanitizers.LINKS);
String input = "<span style=\"font-weight: bold;"
+ " text-decoration: underline; background-color: yellow;\""
+ ">aaaaaaaaaaaaaaaaaaaaaaa</span>";
String got = sanitizer.sanitize(input);
String want = input;
assertEquals(want, got);
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
owasp-java-h...@googlecode.com
May 5, 2014, 7:22:37 PM5/5/14
to owasp-java-html-...@googlegroups.com
Updates:
Status: Fixed
Comment #1 on issue 28 by mikes...@gmail.com: Sanitizers.STYLES not
fixed at r229
Status: Fixed
Comment #1 on issue 28 by mikes...@gmail.com: Sanitizers.STYLES not
fixed at r229
Jim Manico
May 5, 2014, 7:42:13 PM5/5/14
to owasp-java-html-...@googlegroups.com
Every time I see HTML Sanitizer bugs fixed, I think...
http://music.thewikies.com/jonneal/yayquery/the-would-you-please-update-your-code-song
Thanks for all your hard work and dedication to HTML Sanitization, Mike!
Aloha,
Jim
http://music.thewikies.com/jonneal/yayquery/the-would-you-please-update-your-code-song
Thanks for all your hard work and dedication to HTML Sanitization, Mike!
Aloha,
Jim
owasp-java-h...@googlecode.com
Jul 30, 2014, 9:41:21 PM7/30/14
to owasp-java-html-...@googlegroups.com
Comment #2 on issue 28 by James.Li...@gmail.com: Sanitizers.STYLES not
This issue does not seems to be fixed properly. Try to test with span
element with no attribute.
"<span> span text </span>"
or with attribute that is not explicitly allowed.
"<span class="redtext"> span text </span>"
In both case, the span element will be removed even you add
Sanitizer.FORMATTING or add span to allowed elements manually.
James
owasp-java-h...@googlecode.com
Jul 31, 2014, 8:37:57 AM7/31/14
to owasp-java-html-...@googlegroups.com
Comment #3 on issue 28 by mikes...@gmail.com: Sanitizers.STYLES not
Sanitizers.FORMATTING does not white-list class attributes.
owasp-java-h...@googlecode.com
Aug 3, 2014, 9:09:10 PM8/3/14
to owasp-java-html-...@googlegroups.com
Comment #4 on issue 28 by James.Li...@gmail.com: Sanitizers.STYLES not
Mike
Thank you for the reply.
But still the empty span element should be allowed with
Sanitizers.FORMATTING which in fact is not.
This library works amazing and help us a lot with our work .Thanks for the
hard work.
James
owasp-java-h...@googlecode.com
Aug 4, 2014, 8:29:12 AM8/4/14
to owasp-java-html-...@googlegroups.com
Comment #5 on issue 28 by mikes...@gmail.com: Sanitizers.STYLES not
<span> is, by default, one of the elements that is disallowed without
attributes.
Certain elements, <img> and <a> for example, are dropped if they have no
attributes that survive white-listing. This prevents <img>s with rejected
src="..."s from showing up as broken.
https://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=23
shows how to workaround this if you really want attribute-less <span>s in
your output.
owasp-java-h...@googlecode.com
Aug 5, 2014, 3:30:07 AM8/5/14
to owasp-java-html-...@googlegroups.com
Comment #6 on issue 28 by James.Li...@gmail.com: Sanitizers.STYLES not
I think that makes sense.
Thank you for your reply. Have a good day.
Reply all
Reply to author
Forward
0 new messages