java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Extra characters got added during sanitization of html

Open arpitbansal1581 opened this issue 3 years ago • 1 comments

Hi,

We are using this owasp-java-html-sanitizer-20211018.2.jar library for sanitization of the custom generated HTML, we came across the following situation when we got extra characters in html code as during sanitization.

Input String- {1:F21TEMPBIC}{4:{177:2203031005}{451:0}}{{311:ACK}{108:MA33A03110SZ0TFC}} Output String- {1:F21TEMPBIC}{4:{177:2203031005}{451:0}}{<!-- --> {311:ACK}{108:MA33A03110SZ0TFC}}

It will be great if someone can guide me on how to handle this situation or it can be considered as an enhancement or bugfix.

arpitbansal1581 avatar Apr 25 '22 12:04 arpitbansal1581

@arpitbansal1581 This is expected, that is {{ getting converted into {<!-- -->{ to avoid XSS arising due to templates.

Also this library is best suited to sanitize HTML Strings.

https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md

subbudvk avatar Nov 27 '23 04:11 subbudvk