Upgrade from Antisamy to OWASP Java HTML Sanitizer

[saurav...@gmail.com]

Hi,

In our project we have a requirement to upgrade from Antisamy to OWASP Java HTML Sanitizer.

The problem we are facing is that we need to block only few elements. So it was pretty straightforward in Antisamy. We just mentioned the names of those tags and blocked them.

Now in OWASP , everything is blocked by default. How can we enable all the tags except the once that we need to block.

PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("table", "tr", "td", "href", "body", "th", "font", "button", "input", "select") is not an option as we don't want to provide the name of each and every element.

Is there something like PolicyFactory policy = new HtmlPolicyBuilder() .allowElements(*) that will allow us to add all the elements in HTML

Thanks

Saurav Aggarwal

[Mike Samuel]

On Tue, Nov 20, 2018 at 11:00 AM <saurav...@gmail.com> wrote:

Hi,

In our project we have a requirement to upgrade from Antisamy to OWASP Java HTML Sanitizer.

The problem we are facing is that we need to block only few elements. So it was pretty straightforward in Antisamy. We just mentioned the names of those tags and blocked them.

Now in OWASP , everything is blocked by default. How can we enable all the tags except the once that we need to block.

 

PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("table", "tr", "td", "href", "body", "th", "font", "button", "input", "select") is not an option as we don't want to provide the name of each and every element.

https://html.spec.whatwg.org/multipage/indices.html#elements-3 has about 120 elements.  That is not a small list, but is not huge.  What would you want beyond that?

 

Is there something like PolicyFactory policy = new HtmlPolicyBuilder() .allowElements(*) that will allow us to add all the elements in HTML

No.  Nor will there be.  The sanitizer aims to produce HTML that is safe to include.  A safe policy shouldn't become unsafe when standards bodies add elements or attributes to the language, or when the document in which it is embedded registers a new custom element, or when run in a browser that defines non-standard elements or attributes.  So allowElements("*") would be incompatible with project goals.

 

Thanks

Saurav Aggarwal

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.