java-html-sanitizer

java-html-sanitizer copied to clipboard

allowAttributes("style").globally() shouldn't imply allowStyling() - Regression with 2024 version

3

This recent breaking changes - Forces validating global style content with CSSSchema - Earlier we had better options seperately allowAttributes("style").globally() - doesn't sanitize, allowStyling() - did sanitize. - make disallowAttribute("style").globally()...

subbudvk

Clarify which BSD license applies

1

The first line of the "COPYING" file says "You may use under either the Apache License Version 2.0 or the BSD 3-Clause License." however, the included BSD license in that...

lcoller

Licensing issue: BSD-3-Clause or BSD-2-Clause?

1

Licensing issue: ----------------- According to the first sentence at https://github.com/OWASP/java-html-sanitizer/blob/main/COPYING, there is a multi-licensing between Apache-2.0 and BSD-3-Clause. Later on, the license text of the BSD-2-Clause is stated. So there...

stefan-hdt

ClassNotFoundException: org.owasp.shim.Java8Shim after update to 20240325.1

6

After update to 20240325.1 there occur exceptions `ClassNotFoundException: org.owasp.shim.Java8Shim`. I could not find documentation about which additional libraries have to be included on which Java platform such that things work...

veita

Make StylingPolicy public

2

See #132 for the motivation. Did not use a builder since having access to StylingPolicy.apply can be very critical

EugenMayer

On Java8Shim class, better to catch Throwable instead of Error

1

We working with PrimeFaces v13.0.8, that has a dependency with _owasp-java-html-sanitizer_. With the 0240325.1 version, it has two new dependencies: - Java 8 Shim - Java 10 Shim We working...

JuanMiguelBG-Ticarum

Hi, I am running into a case where I would like to enforce having two specific attributes on a tag, else the tag is illegal. As an example, `` should...

tom-mayer

Sanitizing style element content

3

Sanitizing ``` ... ``` content with StylingPolicy then letting add a parent css selector per line item could be a nice feature. For example, following style content: ``` h1 {...

mehretaban

Upgrading to version 20240325.1 (previous 20220608.1 works fine) makes my testing failing because order of REL values changes. What is worse when I fix the order it passes with JDK17...

damianszczepanik

Allows start, end, justify-all and match-parent as text-align values.

1

After this change, all values currently listed on MDN for text-align are allowed: https://developer.mozilla.org/en-US/docs/Web/CSS/text-align#values `left` and `right` are not in `textAlignLiterals0`, but they are already included through `azimuthLiterals1`: https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L315 https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L714-L716

martin-jackson