OWASP Sanitizer removes everything enclosed in angular brackets
138 views
Skip to first unread message
pankaj...@gmail.com
Nov 16, 2018, 2:48:12 PM11/16/18
to OWASP Java HTML Sanitizer Support
Hello Guys,
Is there any way to allow input enclosed in angular brackets.
Example : <abc.xyz:stu.version-1.0.0>
OWASP removes everything which is enclosed in angular brackets.
Mike Samuel
Nov 16, 2018, 2:57:53 PM11/16/18
to owasp-java-html-...@googlegroups.com
The sanitizer takes in HTML and puts out HTML.
If I load
Example : <abc.xyz:stu.version-1.0.0>
Example : <abc.xyz:stu.version-1.0.0>
into a browser as HTML, I see the attached in the dev console, so AFAICT, the sanitizer is correctly classifying it as a disallowed tag.
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pankaj Dighe
Nov 16, 2018, 6:28:54 PM11/16/18
to OWASP Java HTML Sanitizer Support
Hi Mike ,
Thanks for the response. What can be the best way to allow tags like this (<abc.xyz:stu.version-1.0.0>)? Is there any way to accept tags matching the regex pattern ? (using HTMLPolicyBuilder) .
On Friday, 16 November 2018 11:57:53 UTC-8, Mike Samuel wrote:
The sanitizer takes in HTML and puts out HTML.If I load
Example : <abc.xyz:stu.version-1.0.0>into a browser as HTML, I see the attached in the dev console, so AFAICT, the sanitizer is correctly classifying it as a disallowed tag.
On Fri, Nov 16, 2018 at 2:48 PM <pankaj...@gmail.com> wrote:
Hello Guys,--Is there any way to allow input enclosed in angular brackets.Example : <abc.xyz:stu.version-1.0.0>OWASP removes everything which is enclosed in angular brackets.
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
Mike Samuel
Nov 26, 2018, 11:16:19 AM11/26/18
to owasp-java-html-...@googlegroups.com
On Fri, Nov 16, 2018 at 6:28 PM Pankaj Dighe <pankaj...@gmail.com> wrote:
Hi Mike ,Thanks for the response. What can be the best way to allow tags like this (<abc.xyz:stu.version-1.0.0>)? Is there any way to accept tags matching the regex pattern ? (using HTMLPolicyBuilder) .
No. All element names must be explicitly listed.
You could use a preprocessor to change open tags like <abc.xyz:stu.version-1.0.0> into text nodes <abc.xyz:stu.version-1.0.0> which would survive the sanitizer.
On Friday, 16 November 2018 11:57:53 UTC-8, Mike Samuel wrote:
The sanitizer takes in HTML and puts out HTML.If I load
Example : <abc.xyz:stu.version-1.0.0>into a browser as HTML, I see the attached in the dev console, so AFAICT, the sanitizer is correctly classifying it as a disallowed tag.
On Fri, Nov 16, 2018 at 2:48 PM <pankaj...@gmail.com> wrote:
Hello Guys,--Is there any way to allow input enclosed in angular brackets.Example : <abc.xyz:stu.version-1.0.0>OWASP removes everything which is enclosed in angular brackets.
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages