How to add new font-families? -- Issue #70

[marcelo....@hotmail.com]

I would like to whitelist different font-families that are not present in the DEFINITIONS master-set... How would i go about this?

Simple test case that breaks... 

@Test

  public final void testNewFontFamily() {

    String input = "<h1 style=\"font-family:'Roboto', sans-serif\">Test font-family style Roboto.</h1>";

    String sanitized = "<h1 style=\"font-family:'Roboto', sans-serif\">Test font-family style Roboto.</h1>";

    assertEquals(sanitized, Sanitizers.STYLES.and(Sanitizers.BLOCKS).sanitize(input));

  }

In the test case above, the font-family 'Roboto' has its single quotes escaped.

[Mike Samuel]

I get 

<h1 style="font-family:&#39;roboto&#39; , sans-serif">Test font-family style Roboto.</h1>

which seems fine.  The CSS parser should see the string "font-family:'roboto' , sans-serif"

since the HTML parser unescapes character references in attribute values.

When I try

const div = document.createElement('div')

div.innerHTML = '<h1 style="font-family:&#39;roboto&#39; , sans-serif">Test font-family style Roboto.</h1>'

console.log(div.firstChild.getAttribute('style'))

in a browser console I see

font-family:'roboto' , sans-serif

How is this output a problem?

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[marcel...@logusinfo.com.br]

Hey, Mike!

Thanks for the quick reply! You're right! It's not a problem with the sanitizer after all. The application logic replaces certain strings that have a '#'... Sorry for the trouble! 

[Mike Samuel]

No worries.  I'm glad you sorted out your problem.