java-html-sanitizer
java-html-sanitizer copied to clipboard
OWASP
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
As reported in other issues, CSS 3 and 4 properties are not defined in DEFINITIONS in https://github.com/OWASP/java-html-sanitizer/blob/main/src/main/java/org/owasp/html/CssSchema.java is there a reason to map the DEFINITIONS to lower level CSS? any...
Hello there, for some reason, OWASP Java HTML Sanitizer seems just to remove all content after a tag instead of just removing it. ### Input: `Plaintext with some surprises and...
For an instance, ``` this is a para ``` Above html text results into invalid html text because of tag . But, if I write html as shown below then...
The input is like below: ````md ```html data" or "data ``` ```` , for th and tbody, the case is similiar. The common point is that there is no table...
Something like the following would be really nice: ``` public interface HtmlChangeListener { /** Called when a tag is discarded from the input. */ public void discardedTag(@Nullable T context, String...
## Observation After reading the [javadocs on thread safety for the HTML policy builder](https://github.com/OWASP/java-html-sanitizer/blob/33d319f876abbb35cb95eddf9705c46bd96822bd/src/main/java/org/owasp/html/HtmlPolicyBuilder.java#L144-L154), I am somewhat, but not entirely, confident about what I should be doing. Very clear: >...
Constructing a HtmlPolicyBuilder zero-defined global attributes, globally, leads to an Arry out of bounds exception Here is sample code that produces the problem ```java new HtmlPolicyBuilder().allowElements().allowAttributes().globally().toFactory(); ``` The exception comes...
* any input that causes the problem : * The default policy: EbayPolicyExample * the output you expect: The exmaple Code: String html = ""; String expected = ""; SanitizedResult...
Hi, String entryText = "alert("Hello")"; Policy policy = new HtmlPolicyBuilder().toFactory(); String result = policy.sanitize(entryText); The out of this is "" but I am expecting "Hello". _"This is test alert('Hello')"_ for...
While compiling I tripped a randomized test failure for testUnderStress. Setting the seed replicates the issue. One note, I did this from a Windows 10 machine and to get the...
