java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Allows start, end, justify-all and match-parent as text-align values.

Open martin-jackson opened this issue 1 year ago • 1 comments

After this change, all values currently listed on MDN for text-align are allowed: https://developer.mozilla.org/en-US/docs/Web/CSS/text-align#values

left and right are not in textAlignLiterals0, but they are already included through azimuthLiterals1:

https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L315

https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L714-L716

martin-jackson avatar Apr 12 '24 13:04 martin-jackson

@mikesamuel Hi! Does this look ok to merge and release? We need to allow the missing values, and I haven't found a way to override the existing text-align rule. The union() method of CssSchema throws an exception when trying to combine the default schema with my own schema:

var updatedTextAlign = Map.of("text-align", new CssSchema.Property(0, Set.of("center", "end", "inherit", "justify", "justify-all", "match-parent", "start", "left", "right"), Collections.emptyMap()));
var schema = CssSchema.union(
    CssSchema.DEFAULT,
    CssSchema.withProperties(updatedTextAlign)
);

https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L204-L207

martin-jackson avatar May 27 '24 12:05 martin-jackson