Sanitizer is stripping the href if the URL is tailed with white space when the url protocol is ftp

[Rasmita Mahapatra]

<a href =" ftp://test.com"> FTP link</a> (space befor the URL)

Result:  FTP link 

If Input is 

<a href =  \"ftp://test.com\"> FTP link1</a> (space after href= )

Result:FTP link1

The issue is not see when the link has http

                Input : <a href=" http://link.com" >link1</a>

                Result : <a href="http://link.com">link1</a>

                Input:<a href=  "http://link.com" >link11</a>

                Result:<a href="http://link.com">link11</a>

          

[Mike Samuel]

On Wed, Feb 7, 2018 at 5:29 AM, Rasmita Mahapatra <rasm...@gmail.com> wrote:

<a href =" ftp://test.com"> FTP link</a> (space befor the URL)

Result:  FTP link 

If Input is 

<a href =  \"ftp://test.com\"> FTP link1</a> (space after href= )

Result:FTP link1

The issue is not see when the link has http

Does your policy allow ftp: URLs?

http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20171016.1/org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols-java.lang.String...-

 

                Input : <a href=" http://link.com" >link1</a>

                Result : <a href="http://link.com">link1</a>

                Input:<a href=  "http://link.com" >link11</a>

                Result:<a href="http://link.com">link11</a>

          

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rasmita Mahapatra]

On Wednesday, February 7, 2018 at 7:35:13 PM UTC+5:30, Mike Samuel wrote:

On Wed, Feb 7, 2018 at 5:29 AM, Rasmita Mahapatra <rasm...@gmail.com> wrote:

<a href =" ftp://test.com"> FTP link</a> (space befor the URL)

Result:  FTP link 

If Input is 

<a href =  \"ftp://test.com\"> FTP link1</a> (space after href= )

Result:FTP link1

The issue is not see when the link has http

Does your policy allow ftp: URLs?

http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20171016.1/org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols-java.lang.String...-

No, its not supported. 

[Mike Samuel]

On Feb 16, 2018 3:03 AM, "Rasmita Mahapatra" <rasm...@gmail.com> wrote:

On Wednesday, February 7, 2018 at 7:35:13 PM UTC+5:30, Mike Samuel wrote:

On Wed, Feb 7, 2018 at 5:29 AM, Rasmita Mahapatra <rasm...@gmail.com> wrote:

<a href =" ftp://test.com"> FTP link</a> (space befor the URL)

Result:  FTP link 

If Input is 

<a href =  \"ftp://test.com\"> FTP link1</a> (space after href= )

Result:FTP link1

The issue is not see when the link has http

Does your policy allow ftp: URLs?

http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20171016.1/org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols-java.lang.String...-

No, its not supported. 

That's probably why ftp URLs are being stripped.

[Rasmita Mahapatra]

On Friday, February 16, 2018 at 5:33:34 PM UTC+5:30, Mike Samuel wrote:

On Feb 16, 2018 3:03 AM, "Rasmita Mahapatra" <rasm...@gmail.com> wrote:

On Wednesday, February 7, 2018 at 7:35:13 PM UTC+5:30, Mike Samuel wrote:

On Wed, Feb 7, 2018 at 5:29 AM, Rasmita Mahapatra <rasm...@gmail.com> wrote:

<a href =" ftp://test.com"> FTP link</a> (space befor the URL)

Result:  FTP link 

If Input is 

<a href =  \"ftp://test.com\"> FTP link1</a> (space after href= )

Result:FTP link1

The issue is not see when the link has http

Does your policy allow ftp: URLs?

http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20171016.1/org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols-java.lang.String...-

No, its not supported. 

That's probably why ftp URLs are being stripped.

Thanks