java-html-sanitizer
java-html-sanitizer copied to clipboard
OWASP
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
There is a dependency to com.google.guava:guava:30.1-jre which is known as vulnerable [CVE-2023-2976](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976)
While trying to use `.allowElements()`, I noticed some surprising results: different tags yield different kind of output. For example: 1. A policy with `HtmlPolicyBuilder().allowElements("a").toFactory().sanitize("")` returns nothing; 2. A policy with...
Fix #187 The length of the input should not really be validated in sanitizer, rather the whole HTTP request body should be constrained. This PR removes the troublesome constraint.
Also, allowStyling() internally allows the 'style' attribute, so it is not necessary to ignore it.
Hi, Is there a way to sanitize something like `If b is 0 and a is 1 then b
wynne.jg reports Consider the following whitelist • tag and it's attribute src is allowed • tags are getting converted to tags if I then try to sanitize ```html ``` I...
Even with `allowStyling()`, this: ```html ``` becomes ```html ``` It seems that "display: grid" and all the other CSS grid properties are not part of the list of valid properties....
input: ```html ``` policy: `Sanitizers.BLOCKS .and(Sanitizers.FORMATTING) .and(Sanitizers.LINKS) .and(Sanitizers.TABLES) .and(Sanitizers.IMAGES) .and(Sanitizers.STYLES) .and(.and(new HtmlPolicyBuilder() .allowElements("style") .allowAttributes("style").onElements("td", "table","div") .allowAttributes("type", "word-break").onElements("style") .toFactory());` Expected output (should contain word-break). ```html ```
Hello, the codingame game engine which allow people to create games for its platform use your sanitizer on the game documentation. When I tried to implement some overflow on tables,...
Currently `EbayPolicyExample`, `SlashdotPolicyExample` and `UrlTextExample` are part of the final package, so currently `owasp-java-html-sanitizer-20190610.1.jar`. Theses examples are great to understand the capabilities of the project. But they should not be...
