java-html-sanitizer
java-html-sanitizer copied to clipboard
OWASP
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
The HTML living standard ( https://html.spec.whatwg.org/multipage/syntax.html#character-references ) states: > The numeric character reference forms described above are allowed to reference any code point excluding U+000D CR, noncharacters, and controls other...
An invalid list, still parsed correctly by browsers and email clients of the sort: ```html Topic 1 Item 1 Item 2 Sub 1 Sub 2 Sub 3 Item 3 ```...
I have one url like this below in html anchor tag. `ZZZZ` when I apply html sanitization why this value `&num` is replaced by # and the output html is...
It looks like the current implementation of the HTML sanitizer removes all comments, including hints for MSIE. Is there any reason why this isn't present? Most processors for HTML documents...
Hi, So I have a text as "" and the following is the policy ``` PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https", "http") .allowAttributes("href").onElements("a") .toFactory(); ``` When I sanitize it,...
if user input sting is: ```html aaa bbbtest1 ``` policy defined as this: ```java PolicyFactory LINKS_RAW = (new HtmlPolicyBuilder()).allowElements("a").allowStandardUrlProtocols().allowAttributes("href","target").onElements("a").toFactory() ``` when check the "a" tag attribute href, StandardUrlAttributePolicy will be...
I am using below policy - ```java PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a", "pre") .allowUrlProtocols("https", "http") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks().toFactory(); ``` And I am trying to filter out below html string -...
It doesn't look like there's any way to configure the HTML sanitizer to allow css variables in inline styles. Given the following policy: ```java HtmlSanitizer.Policy policy = new HtmlPolicyBuilder() .allowStyling()...
It looks like the `TABLES` PolicyFactory in [Sanitizers](/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/Sanitizers.java) class does not allow the colspan attribute on `td` and `th` elements. I see no reason why it couldn't.
I organized the results made through `PolicyFactory.and(PolicyFactory f)` **What I want to know exactly** : with `afterPolicy = beforePolicy.and(newPolicy)` how has the afterPolicy changed from beforePolicy? ## 1. `allowWithoutAttributes` `disallowWithoutAttributes`...
