java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

add tag in safeName method in HtmlStreamRenderer

Open yangbongsoo opened this issue 5 years ago • 3 comments

I organized the guide to use a different tag(reference is MDN)

<frame> -> <iframe> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame

<applet> -> <object> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/applet

<basefont> -> <font> (but font is obsolete too) https://developer.mozilla.org/en-US/docs/Web/HTML/Element/basefont

<acronym> -> <abbr> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/acronym

<strike> -> <del> or <s> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/strike

<tt> -> <code>, <kbd>, <samp>, <var> or <pre> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/tt

<command> -> <menuitem> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/command

<dir> -> <ul> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dir

@mikesamuel

  1. sub compatibility will be broken. The tags that were well expressed before are changed. But I think it is right to change because HTML is updated. How about you?

  2. basefont and strike and tt tags are difficult to decide.

  static String safeName(String unsafeElementName) {
    String elementName = HtmlLexer.canonicalName(unsafeElementName);

    // Substitute a reliably non-raw-text element for raw-text and
    // plain-text elements.
    switch (elementName.length()) {
      case 3:
        if ("xmp".equals(elementName)) { return "pre"; }
        if ("dir".equals(elementName)) { return "ul"; }
        break;
      case 5:
        if ("frame".equals(elementName)) { return "iframe"; }
        break;
      case 6:
        if ("applet".equals(elementName)) { return "object"; }
        break;
      case 7:
        if ("listing".equals(elementName)) { return "pre"; }
        if ("acronym".equals(elementName)) { return "abbr"; }
        if ("command".equals(elementName)) { return "menuitem"; }
        break;
      case 9:
        if ("plaintext".equals(elementName)) { return "pre"; }
        break;
    }
    return elementName;
  }

yangbongsoo avatar Jun 04 '20 07:06 yangbongsoo

You are one of the first volunteers to dig so deeply into Mikes parser code. You should be proud. Thank you!

-- Jim Manico @Manicode

On Jun 4, 2020, at 3:54 AM, yangbongsoo [email protected] wrote:

 I organized the guide to use a different tag(reference is MDN)

->

jmanico avatar Jun 04 '20 11:06 jmanico

@jmanico thank you. our team(in corporation) decide to use sanitizer. But I want to contribute to continuous development on sanitizer, not just use. I think this is truly open source value.

yangbongsoo avatar Jun 05 '20 06:06 yangbongsoo

in addition, below tags received warning by MDN.

frameset : Deprecated. no longer recommended. keygen : Obsolete. try to avoid using it big : Obsolete. try to avoid using it noframes : Obsolete. try to avoid using it isindex : Obsolete. try to avoid using it(all browser compatibility none)

but MDN doesn't guide to use other tags.

yangbongsoo avatar Jun 16 '20 08:06 yangbongsoo