sanitizer is adding empty comment block given double curly braces...

64 views
Skip to first unread message

Paulo Avelar

unread,
May 23, 2017, 6:00:15 PM5/23/17
to OWASP Java HTML Sanitizer Support
Hi,

The sanitizer is adding empty comment block when it encounters {{}} in a text block:
for example:

given:

<p>{{DATE(2017-02-14T06:08:39Z)}}</p>

 it produces:

<p>{<!-- -->{DATE(2017-02-14T06:08:39Z)}}</p>

or

<p>{{}}</p>

will produce

<p>{<!-- -->{}}

So,  I don't think it should do that.  Is this a bug ?


Thank you,
Paulo

Mike Samuel

unread,
May 23, 2017, 6:06:32 PM5/23/17
to OWASP Java HTML Sanitizer Support
This is running as intended. Please see
https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md

sampo.j...@wellmo.com

unread,
Dec 19, 2017, 1:07:54 PM12/19/17
to OWASP Java HTML Sanitizer Support
Hi,

How can this functionality be disabled?  We need to sanitize HTML code which can contain Handlebars placeholders within the HTML body text (not inside tags) and the sanitizer is breaking those.

We allow customers to define HTML content containing Handlebars placeholders.  We control the Handlebars context and ensure that it's safe, thus in our case it's not a security issue that the placeholders are allowed in the body text.

- Sampo

Jim Manico

unread,
Dec 19, 2017, 6:04:09 PM12/19/17
to owasp-java-html-...@googlegroups.com
Mike will likely answer with more depth but this library is for HTML sanitization, not template sanitization. ☹️
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Mike Samuel

unread,
Dec 19, 2017, 10:51:33 PM12/19/17
to OWASP Java HTML Sanitizer Support
This discussion seems to be happening both here and on https://github.com/OWASP/java-html-sanitizer/issues/111

Unless someone feels strongly, let's continue discussion on the bug.



To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages