On Tue, May 9, 2017 at 8:38 AM, <
neutri...@gmail.com> wrote:
> Sorry if this is a stupid question, but I am not a veteran of the framework.
> I was wondering what happens if I call allowAttributes for the same
> attribute, on the same element, specifying different rules. Something like:
>
> htmlPolicyBuilder.allowAttributes("a").matching(true,
> "foo").onElements("x").allowAttributes("a").matching(false,
> "bar").onElements("x")
If you specify two policies, then the second will receive the output
from the first policy and gets the final say. So all policies are
run, and if any policy vetoes an attribute or element then that
element or attribute is not included.
In this case, you're requiring that the value of <x a> match both
/^foo$/i and /^bar$/ which effectively disallows it since there is no
string that matches both those patterns.
>
> I could try to see what happens, but I would prefer to trust an official
> source. The problem is that I couldn't find anything in the documentation.
> Thanks
>
> Andrea
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
owasp-java-html-saniti...@googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.