I'm curious about AttributeBuilder matching function

40 views
Skip to first unread message

양봉수

unread,
Jun 15, 2020, 2:02:33 PM6/15/20
to OWASP Java HTML Sanitizer Support

@mikesamuel @JimManico


at first, I'm sorry to bother you even though you're busy with other things.
I think I'm making too many issues by myself.
I know how difficult it is to maintain open source.
So I respect your efforts. Thank you.


this topic is about AttributeBuilder matching function.

now, matching function is white list structure.


for example 


``` java

allowAttributes("name")

.matching(Pattern.compile("[a-z]+"))

.onElements("img")

```


only lowercase alphabet can be used in name attribute in img tag.


However What if I want to opposite case?

What if I want to block lowsercase alphabet in name attribute in img tag(black list structure)?


in that case, I can make my own AttribuePolicy(if matched, return null).


```java

.matching(new AttributePolicy() {

  @Nullable

  @Override

  public String apply(String elementName, String attributeName, String value) {

    return Pattern.compile("[b-zA-Z'\"]+").matcher(value).matches() ? null : value;

  }

})

```


at first, I thought I didn't need black list matching functions.

because It is not difficult to implement and use it.


However Some people(in my corp) said they wanted the function.


for example 

```java

public AttributeBuilder disallowMatching(final Pattern pattern) {

  return matching(new AttributePolicy() {

    public @Nullable String apply(

            String elementName, String attributeName, String value) {

      return pattern.matcher(value).matches() ? null : value;

    }

  });

}

```


so I'm curious your opinion.




Mike Samuel

unread,
Jun 15, 2020, 2:12:29 PM6/15/20
to OWASP Java HTML Sanitizer Support
Different people have different preferences re complex RegExps.
The important thing is that, whichever of matching(AttributePolicy) or matching(Pattern) you choose, write some unittests for it.

-- 

You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/2bcf714d-f5e2-4f0d-bb7c-ff91974f107co%40googlegroups.com.

양봉수

unread,
Jun 23, 2020, 9:26:07 PM6/23/20
to owasp-java-html-...@googlegroups.com
My question was not clear. sorry

We already have allow / disallow functions.
ex) allowElements, disallowElements

What do you think about applying it the same way to matching?
ex) matching / disallowMatching










2020년 6월 16일 (화) 오전 3:12, Mike Samuel <mikes...@gmail.com>님이 작성:
To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/CACod6Gue5EMzN8wpqmQs-pBWMLtLM4_AJn0BihE6PzEygW_LnQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages