sanitizer is adding empty comment block given double curly braces...

已查看 65 次
跳至第一个未读帖子

Paulo Avelar

未读,
2017年5月23日 18:00:152017/5/23
收件人 OWASP Java HTML Sanitizer Support
Hi,

The sanitizer is adding empty comment block when it encounters {{}} in a text block:
for example:

given:

<p>{{DATE(2017-02-14T06:08:39Z)}}</p>

 it produces:

<p>{<!-- -->{DATE(2017-02-14T06:08:39Z)}}</p>

or

<p>{{}}</p>

will produce

<p>{<!-- -->{}}

So,  I don't think it should do that.  Is this a bug ?


Thank you,
Paulo

Mike Samuel

未读,
2017年5月23日 18:06:322017/5/23
收件人 OWASP Java HTML Sanitizer Support
This is running as intended. Please see
https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md

sampo.j...@wellmo.com

未读,
2017年12月19日 13:07:542017/12/19
收件人 OWASP Java HTML Sanitizer Support
Hi,

How can this functionality be disabled?  We need to sanitize HTML code which can contain Handlebars placeholders within the HTML body text (not inside tags) and the sanitizer is breaking those.

We allow customers to define HTML content containing Handlebars placeholders.  We control the Handlebars context and ensure that it's safe, thus in our case it's not a security issue that the placeholders are allowed in the body text.

- Sampo

Jim Manico

未读,
2017年12月19日 18:04:092017/12/19
收件人 owasp-java-html-...@googlegroups.com
Mike will likely answer with more depth but this library is for HTML sanitization, not template sanitization. ☹️
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Mike Samuel

未读,
2017年12月19日 22:51:332017/12/19
收件人 OWASP Java HTML Sanitizer Support
This discussion seems to be happening both here and on https://github.com/OWASP/java-html-sanitizer/issues/111

Unless someone feels strongly, let's continue discussion on the bug.



To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
回复全部
回复作者
转发
0 个新帖子