Configuring HtmlPolicyBuilder to remove text contained between disallowed HTML tags

750 views
Skip to first unread message

Henry Reed

unread,
Nov 26, 2014, 1:48:50 AM11/26/14
to owasp-java-html-...@googlegroups.com
Hi guys,

Looks like a good product. I'm testing it out in an Android app with a custom whitelist. Our client has an explicit list of elements and attributes that they want us to allow/disallow, so I've configured the Policy Builder like this:

private static final PolicyFactory INSTANCE = new HtmlPolicyBuilder()
                .allowElements(
                        "a",
                        "b",
                        "blockquote",
                        "br",
               ... lots more allowed tags here...
                        "tr",
                        "u",
                        "ul")
                .allowAttributes("href", "rel").onElements("a")
                .allowAttributes("cite").onElements("blockquote")
                .allowAttributes("src", "alt", "width", "height").onElements("img")
                .allowAttributes("cite").onElements("q")
                .allowAttributes("colspan", "rowspan").onElements("td")
                .allowAttributes("colspan", "rowspan").onElements("thead")
                .toFactory();

Now I can sanitize HTML at will by calling INSTANCE.sanitize(String html). So far so good.


One test string that must be sanitised is as follows:

<hr />Hello<h1>OK</h1><blink>evil</blink><script>alert('Evil');</script>


However, this produces the following sanitised html:


<hr />Hello<h1>OK</h1>evil


The disallowed tag <blink> has indeed been removed, but is it possible to configure the HtmlPolicyBuilder to remove not just the disallowed tags, but the content *inside* the tags as well? The client wants to see just:


<hr />Hello<h1>OK</h1>


Many thanks,


Henry.



Jim Manico

unread,
Nov 27, 2014, 10:24:16 AM11/27/14
to owasp-java-html-...@googlegroups.com
Can this be a configurable option? I can see cases where I want to preserve that content, and cases where Id like it gone...

aloha,
--
Jim Manico
@Manicode
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

wynn...@gmail.com

unread,
Aug 23, 2016, 3:26:15 PM8/23/16
to OWASP Java HTML Sanitizer Support
I know this is an old thread, but this is exactly my question at the minute and I can't find too many resources online for configuring OJHS. Has this been answered elsewhere?
Reply all
Reply to author
Forward
0 new messages