Add target="_blank" to links

[Александр Свиридов]

Hello! Can anyone cay how can I make htmlsatizer to add attribute target="_blank" to links. I want that every link the user added has this attribute with such value.


--
Александр Свиридов

[Jim Manico]

I'm not 100% sure, but shouldn't something close to this work?

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .allowAttributes("target").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

Aloha,
Jim

On 3/20/15 10:54 PM, Александр Свиридов wrote:

Hello! Can anyone cay how can I make htmlsatizer to add attribute target="_blank" to links. I want that every link the user added has this attribute with such value.


--

Александр Свиридов --
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mike Samuel]

Change

.allowElements("a")

to

.allowElements(
"a",
new ElementPolicy() {
public String apply(String elementName, List<String> attrs) {
attrs.add("target");
attrs.add("_blank");
}
})

That uses an element policy to add attributes to all <a> elements.
Since you haven't allowed target, there are guaranteed to be no
"target" attributes in attrs.

[Mike Samuel]

Sorry, I missed the return statement.
I think you should be returning elementName.

On Sun, Mar 13, 2016 at 8:20 PM, <cyp...@gmail.com> wrote:
> Hi Mike, thanks for the reply - is this still relevant for the current
> version?
> The closest I could get in a valid compile was flipping the params and
> adding a null return on the apply method (still unsuccessful).
> return new org.owasp.html.HtmlPolicyBuilder()
> .allowElements(
> new ElementPolicy() {
> public String apply(final String elementName, final List<String>

> attrs) {
> attrs.add("target");
> attrs.add("_blank");

> return null;
> }
> }, "a")

> .allowUrlProtocols("https")
> .allowAttributes( "href" ).onElements( "a" )

> .requireRelNofollowOnLinks()
> .toFactory();

[cyp...@gmail.com]

Hi Mike, thanks for the reply - is this still relevant for the current version?
The closest I could get in a valid compile was flipping the params and adding a null return on the apply method (still unsuccessful). 

return new org.owasp.html.HtmlPolicyBuilder()
    .allowElements(

        new ElementPolicy() {

            public String apply(final String elementName, final List<String> attrs) {

                attrs.add("target");

                attrs.add("_blank");

                return null;

            }

        }, "a")

    .allowUrlProtocols("https")

    .allowAttributes( "href" ).onElements( "a" )

    .requireRelNofollowOnLinks()

    .toFactory();

On Friday, December 25, 2015 at 2:48:32 PM UTC+11, Mike Samuel wrote:

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.