java-html-sanitizer elements get removed even when allowed by the policy

elements get removed even when allowed by the policy

Open kocakosm opened this issue 2 years ago • 2 comments

Hi,

 elements get removed by the sanitizer even when they are allowed by the policy.

For instance I'd expect the following code :

Sanitizers.FORMATTING.sanitize("<span>Hi!</span>")

to return Hi! instead of Hi!.

The exact same behaviour can be observed with a custom policy :

new HtmlPolicyBuilder().allowElements("span").toFactory().sanitize("<span>Hi!</span>")

returns Hi! instead of Hi!.

Also, note that other HTML5 inline formatting elements (such as b, i, s, u, sup, sub, ins, del, strong, code, small and em) are not affected by this "bug".

Thanks for your help.

Jun 06 '23 16:06 kocakosm

You can see this behaviour in this sample project.

Jun 06 '23 16:06 kocakosm

Empty span is dropped, because it is part on DEFAULT_SKIP_IF_EMPTY.

You need to allow it using allowWithoutAttributes. cf. https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java#L712-L723

Jan 29 '24 19:01 csware

java-html-sanitizer
java-html-sanitizer copied to clipboard

<span> elements get removed even when allowed by the policy

java-html-sanitizer java-html-sanitizer copied to clipboard

<span> elements get removed even when allowed by the policy

java-html-sanitizer
java-html-sanitizer copied to clipboard