java-html-sanitizer
java-html-sanitizer copied to clipboard
OWASP
Overflow is sanitized
Hello, the codingame game engine which allow people to create games for its platform use your sanitizer on the game documentation. When I tried to implement some overflow on tables, it got sanitized. The game engine principal contributor told me that he allowed everything he could and that he didn't know your sanitizer would delete overflows.
Is this possible to allow them ?
Here is the part of their code where they sanitize the game statement, and here is the part of my html page including the overflow :
<div style="overflow-x:auto;">
<table class="tableizer-table" ;>
<thead>
<tr class="tableizer-firstrow" ;>
<th>Bot class</th>
<th>Damage per bullet</th>
<th>Bullet per shot</th>
<th>Aim duration (frame)</th>
<th>Shot duration (frame)</th>
<th>Precision short range</th>
<th>Precision mid range</th>
<th>Precision long range</th>
<th>Speed</th>
<th>Health</th>
<th>Shield</th>
</tr>
</thead>
<tbody>
<tr align="center" ;>
<td>Assault</td>
<td>300</td>
<td>3</td>
<td>4</td>
<td>2</td>
<td>95%</td>
<td>55%</td>
<td>15%</td>
<td>1.2</td>
<td>5000</td>
<td>3000</td>
</tr>
</tbody>
</table>
</div>
What do you mean by "overflows?" Are you talking about the CSS overflow-x properties?
I believe overflow-x is recognized by the CSS property validator.
https://github.com/OWASP/java-html-sanitizer/blob/e2b29e803c4f7ea225f569d18b3b1356d8e5bf3d/src/main/java/org/owasp/html/CssSchema.java#L421-L426
If I import org.owasp.html.CssSchema and add
.and(CssSchema.DEFINITIONS)
at this line of code will it works ?
Add this to your policy to explicitly allow this property (with values as defined in CssSchema):
.allowStyling(CssSchema.withProperties(List.of("overflow-x")))
