java-html-sanitizer
java-html-sanitizer copied to clipboard
OWASP
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
When sanitizing element with inline font-family css attribute, generic-named font family names with hyphens/dashes are wrongly quoted with single quotes (Generic family names are keywords and must not be quoted,...
We are currently embedding the java-html-sanitizer in our open open source library at https://github.com/apache/sling-org-apache-sling-xss/. We have recently migrated the XSS bundle from AntiSamy to the java HTML sanitizer. We have...
Hello The method **org.owasp.html.Encoding.encodeHtmlAttribOnto** is not visible from outside. Please, how did you test it in EncodingTest since it's not a public method ? Kind regards.
Hi, I have a problem with sanitizer. This sanitizer removes embedded css classes in html file after sanitizing. For example; in html file I have below css classes. #mainbody {...
HtmlSanitizer encodes the given input to `` that should be `` Since `svg+xml` is not recognizable mimetype for browsers, they are just ignored.
First of all, thank you for continuously doing the version up. 1. Added comment for newly added inAttribute in appendDecodedEntity method. 2. Like the order of the appendDecodedEntity method parameter,...
Hi, We are using this library in [Zimbra](https://github.com/Zimbra/java-html-sanitizer-release-20190610.1) for sanitization of the e-mail body and during sanitization of the customer-generated HTML, we came across the following situation when we have...
For example `height` property is available in DEFAULT CssSchema but `initial` is not included in the possible values for `height` property. Is there a way I can add more values...
[RFC 3966 "The tel URI for Telephone Numbers"](https://datatracker.ietf.org/doc/html/rfc3966) defines the URI scheme "tel". The OWASP sanitizer currently does not handle these correctly: both escaping certain characters when it "MUST NOT",...
``` There is no existing documentation on how to allow data: and tel: URLs. Add an example that demonstrates how HtmlPolicyBuilder.allowUrlProcotols can be used with data: and tel:. ``` Original...
