java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

allowAttributes("style").globally() shouldn't imply allowStyling() - Regression with 2024 version

Open subbudvk opened this issue 1 year ago • 3 comments

This recent breaking changes

  • Forces validating global style content with CSSSchema - Earlier we had better options seperately allowAttributes("style").globally() - doesn't sanitize, allowStyling() - did sanitize.
  • make disallowAttribute("style").globally() now does allowStyling() as pointed out in the PR by someone.

@mikesamuel @jmanico : Can you kindly have a look as we are facing issues after 2024 version upgrade.

Fixes https://github.com/OWASP/java-html-sanitizer/issues/331

subbudvk avatar Apr 11 '24 01:04 subbudvk

@mikesamuel

subbudvk avatar Apr 16 '24 15:04 subbudvk

Please also add test cases for the cases that must not happen.

csware avatar Apr 22 '24 10:04 csware

@mikesamuel

subbudvk avatar May 15 '24 16:05 subbudvk