Problems with embedded images

498 views
Skip to first unread message

pep

unread,
Jul 7, 2016, 11:55:59 AM7/7/16
to OWASP Java HTML Sanitizer Support
Hi,

I'm using the OWASP Java HTML Sanitizer to sanitize HTML-EMails.

I have to support different kind of images within the EMails.

Besides ONSITE_URL and OFFSITE_URL I need to support also 'cid' and 'data' (embedded images).

In my PolicyFactory I have allowed 'cid' and 'data' URLs.

The problem now is the data ULR (data:image/png;base64).

The sanitizer somehow replaces '+' within the image data with '+' which cause an error lateron in the application,
because the length of the image data was changed.

E.g.:
data:image/png;base64,cwAADsMAAA7DAcdvqGQAAAVZSURBVHhe7ZpNctQwEEa5HmfhKBwDNlmTE8Ai+3CCVC4wxQVAtmz1p09/r

results in:
data:image/png;base64,cwAADsMAAA7DAcdvqGQAAAVZSURBVHhe7ZpNctQwEEa5HmfhKBwDNlmTE8Ai+3CCVC4wxQVAtmz1p09/r

Is there any possibility to 'tell' the sanitzer to not touch or modifiy the image data?

Any hints?

Thanx in advanced

Mike Samuel

unread,
Jul 7, 2016, 11:58:10 AM7/7/16
to OWASP Java HTML Sanitizer Support

Does this data URL appear in an HTML attribute?  If so, how is this causing problems?

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Johann Pepelner

unread,
Jul 8, 2016, 11:49:10 AM7/8/16
to OWASP Java HTML Sanitizer Support
The content of the "data:image/png;base64," is also decoded by the application, before stored within the database.
The Base64Decoder throws an 'Invalid length.' IOException in this case.

Greetings pep

Mike Samuel

unread,
Jul 8, 2016, 11:54:57 AM7/8/16
to OWASP Java HTML Sanitizer Support
It sounds like the application needs to HTML decode HTML attribute
values before trying to base64 decode them, the same way a browser
does.

mcr...@gmail.com

unread,
Jun 14, 2018, 12:56:23 PM6/14/18
to OWASP Java HTML Sanitizer Support
Hi

I have exactly the same problem, did you solve it? 
For decoding the image I have tried apache commons Base64 and Java8 Base64. In the first case I can decode the String but the image is invalid, in the second case I get an Exception ("java.lang.IllegalArgumentException: Illegal base64 character 26").

Any idea how to decode it?

Mike Samuel

unread,
Jun 14, 2018, 12:58:00 PM6/14/18
to OWASP Java HTML Sanitizer Support
On Thu, Jun 14, 2018 at 12:56 PM <mcr...@gmail.com> wrote:
Hi

I have exactly the same problem, did you solve it? 
For decoding the image I have tried apache commons Base64 and Java8 Base64. In the first case I can decode the String but the image is invalid, in the second case I get an Exception ("java.lang.IllegalArgumentException: Illegal base64 character 26").

Any idea how to decode it?

If you have base64 content embedded in HTML you need to HTML decode before base64 decoding.

Reply all
Reply to author
Forward
0 new messages