Nested <ul> elements
186 views
Skip to first unread message
Don Kneller
Aug 23, 2016, 3:26:27 PM8/23/16
to OWASP Java HTML Sanitizer Support
Nested <ul> elements like:
<ul><ul><li>Hello world</li></ul></ul>
get sanitized to:
<ul><li><ul><li>Hello world</li></ul></li></ul>
Is this expected and is there a way to modify the behavior to not insert the <li> element?
<ul><ul><li>Hello world</li></ul></ul>
get sanitized to:
<ul><li><ul><li>Hello world</li></ul></li></ul>
Is this expected and is there a way to modify the behavior to not insert the <li> element?
Mike Samuel
Aug 23, 2016, 3:34:34 PM8/23/16
to OWASP Java HTML Sanitizer Support
This is expected. We try to put out HTML that validates.
https://www.w3.org/TR/html-markup/ul.html explains what it means for a
<ul> to be valid.
> The ul element represents an unordered list of items; that is,
> a list in which changing the order of the items would not change the meaning of list.
> Permitted contents
> Zero or more li elements
and when I put that input into https://html5.validator.nu/ I get
> Error: Element ul not allowed as child of element ul in this context. (Suppressing further errors from this subtree.)
> ...
> Contexts in which element ul may be used:Where flow content is expected.
> Content model for element ul:Zero or more li and script-supporting elements.
Introducing an <li> seems to be a change that most preserves the
probable intent.
If you wanted to prevent extra bullets from showing up, you might try
mucking with style
li > ul:only-child, li > ol:only-child { list-style: none; display: block }
or something similar.
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
https://www.w3.org/TR/html-markup/ul.html explains what it means for a
<ul> to be valid.
> The ul element represents an unordered list of items; that is,
> a list in which changing the order of the items would not change the meaning of list.
> Permitted contents
> Zero or more li elements
and when I put that input into https://html5.validator.nu/ I get
> Error: Element ul not allowed as child of element ul in this context. (Suppressing further errors from this subtree.)
> ...
> Contexts in which element ul may be used:Where flow content is expected.
> Content model for element ul:Zero or more li and script-supporting elements.
Introducing an <li> seems to be a change that most preserves the
probable intent.
If you wanted to prevent extra bullets from showing up, you might try
mucking with style
li > ul:only-child, li > ol:only-child { list-style: none; display: block }
or something similar.
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
D Kneller
Aug 24, 2016, 10:02:12 AM8/24/16
to owasp-java-html-...@googlegroups.com
I agree it is not expected in HTML 5, but browsers seem to accept this and each <ul> causes more ident. If I don't have control over the content, can I change the sanitizer behavior to not insert the <li> element?
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
D Kneller
Aug 24, 2016, 10:02:12 AM8/24/16
to owasp-java-html-...@googlegroups.com
thanks. the styling does remove the "extra" bullets
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
Mike Samuel
Aug 24, 2016, 10:04:56 AM8/24/16
to OWASP Java HTML Sanitizer Support
On Tue, Aug 23, 2016 at 3:45 PM, D Kneller <dgkn...@gmail.com> wrote:
> I agree it is not expected in HTML 5, but browsers seem to accept this and
> each <ul> causes more ident. If I don't have control over the content, can
> I change the sanitizer behavior to not insert the <li> element?
I'm glad the styling change worked for the bullets, and a few tweaks
> I agree it is not expected in HTML 5, but browsers seem to accept this and
> each <ul> causes more ident. If I don't have control over the content, can
> I change the sanitizer behavior to not insert the <li> element?
might get it working for the extra indentation.
Does the content provider have a chance to preview their
post-sanitization content?
Don Kneller
Aug 25, 2016, 11:09:28 PM8/25/16
to owasp-java-html-...@googlegroups.com
The extra indentation still works, so the person having the issue is now happy that there are no extra bullets.
> --
> You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
Reply all
Reply to author
Forward
0 new messages