Status: New
Owner:
j...@manico.net
Labels: Type-Defect Priority-Medium
New issue 28 by
j...@manico.net: Sanitizers.STYLES not working as advertised
http://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=28
> I'm trying to sanitze the html generated by a WYSWYG editor
> (
http://hackerwins.github.io/summernote/), but the sanitize() is cleaning
> all the html tags. I'm doing this:
> PolicyFactory sanitizer =
> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS.and(Sanitizers.STYLES.and(Sanitizers.LINKS)))
> sanitizer.sanitize(unsafeHtml)
> Source string:
> "<span style="font-weight: bold; text-decoration: underline;
> background-color: yellow;">aaaaaaaaaaaaaaaaaaaaaaa</span>"
> Result:
> aaaaaaaaaaaaaaaaaaaaaaa
> I'm doing something wrong? For what i've read, the standard sanitizers
> should be enough in this case
This looks like a bug. Sanitizers.STYLES doesn't work as advertised,
so the style="..." attribute is rejected out of hand, and <span> is
one of the elements that is, by default, stripped when it has no
attributes.
I'm looking into a fix and will respond to this thread when I know more.
I repeated the problem using:
PolicyFactory sanitizer = Sanitizers.FORMATTING
.and(Sanitizers.BLOCKS)
.and(Sanitizers.STYLES)
.and(Sanitizers.LINKS);
String input = "<span style=\"font-weight: bold;"
+ " text-decoration: underline; background-color: yellow;\""
+ ">aaaaaaaaaaaaaaaaaaaaaaa</span>";
String got = sanitizer.sanitize(input);
String want = input;
assertEquals(want, got);
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings