Logic in case of overlapping/conflicting allowAttributes

[neutri...@gmail.com]

Sorry if this is a stupid question, but I am not a veteran of the framework.
I was wondering what happens if I call allowAttributes for the same attribute, on the same element, specifying different rules. Something like:

htmlPolicyBuilder.allowAttributes("a").matching(true, "foo").onElements("x").allowAttributes("a").matching(false, "bar").onElements("x")

I could try to see what happens, but I would prefer to trust an official source. The problem is that I couldn't find anything in the documentation.
Thanks

Andrea

[Mike Samuel]

On Tue, May 9, 2017 at 8:38 AM, <neutri...@gmail.com> wrote:
> Sorry if this is a stupid question, but I am not a veteran of the framework.
> I was wondering what happens if I call allowAttributes for the same
> attribute, on the same element, specifying different rules. Something like:
>
> htmlPolicyBuilder.allowAttributes("a").matching(true,
> "foo").onElements("x").allowAttributes("a").matching(false,
> "bar").onElements("x")

If you specify two policies, then the second will receive the output
from the first policy and gets the final say. So all policies are
run, and if any policy vetoes an attribute or element then that
element or attribute is not included.

In this case, you're requiring that the value of <x a> match both
/^foo$/i and /^bar$/ which effectively disallows it since there is no
string that matches both those patterns.

>
> I could try to see what happens, but I would prefer to trust an official
> source. The problem is that I couldn't find anything in the documentation.
> Thanks
>
> Andrea
>

> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.