Allow attributes "data-*" or "aria-*"

[jakalte...@gmail.com]

Is there a possibility to allow attributes with a wildcard,

so that all attributes starting with "aria-" or "data-" are allowed?

Thanks in advance!

[san...@backbase.com]

Hi, 

I am also looking out for a similar solution where I need to allow attributes with the wildcard like aria-*.  

As .allowAttributes("...").matching(...);

uses values of attributes to match.

If you already have some reference then it will really help. 

Thanks in advance!

[Mike Samuel]

You can find a list of aria attributes at
https://www.w3.org/TR/wai-aria/states_and_properties

If you don't know how data- attributes are being used, then you should
not white list them.

data- attributes from which URL attributes can still be passed
javascript: URLs which might allow arbitrary JS execution.

> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.