java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Doctype declaration is always removed

Open Aetherus opened this issue 8 years ago • 2 comments

I'm using HtmlPolicyBuilder to build my HTML sanitization policy and I came across the issue that the doctype declaration is always removed after sanitization. How can I build a PolicyFactory that retains doctype declaration?

PolicyFactory factory = new HtmlPolicyBuilder()
            .allowElements("html")
            .toFactory();

String html = "<!doctype html><html></html>";

String sanitizedHtml = factory.sanitize(html);  //=> "<html></html>";

Aetherus avatar Dec 12 '16 06:12 Aetherus

Why do you want to do that?

The sanitizer produces a fragment that is safe to embed so is typically not used with whole documents or their envelopes: doctypes, <html>, <head>, or <body> elements.

mikesamuel avatar Dec 12 '16 22:12 mikesamuel

This should be stated somewhere in the README.

pvorb avatar Oct 19 '18 08:10 pvorb