java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Do not ignore attributes allowed globally together with 'style' (#237)

Open corebonts opened this issue 4 years ago • 2 comments

Also, allowStyling() internally allows the 'style' attribute, so it is not necessary to ignore it.

corebonts avatar Oct 27 '21 16:10 corebonts

Thanks for adding a testcase. The check for style as the zero-th element seems good to change, but what prompted this?

Instead of using null for the policy, and checking == null, can we check for the identity policy? My vague recollection was that .join was pretty good about just returning x when joining x with the identity policy.

mikesamuel avatar Nov 05 '21 21:11 mikesamuel

First, thanks for reviewing it. But sorry, it's not clear, what prompted what? The change that calls allowStyling() when "style" property is allowed or the change that uses now the contains check instead of the zero-th element check?

For the first, I don't know, it's someone else's change and I don't know the reason behind it. For me it also feels a bit magical. For the latter one, we had failing tests in our product when we updated to the latest sanitizer.

And for your comment about the nullcheck, you're right, I will change that.

corebonts avatar Nov 10 '21 18:11 corebonts