java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard
verified publisher icon OWASP

Sanitizing style element content

Open mehretaban opened this issue 8 years ago • 3 comments

Sanitizing <style type="text/css"> ... </style> content with StylingPolicy then letting add a parent css selector per line item could be a nice feature. For example, following style content:

<style type="text/css"> 
h1 { text-align: center; color: red;}
p { text-align: center; color: red;}
#id {color:blue}
</style>

can be transformed to

<style type="text/css"> 
.sanitized h1 { text-align: center; color: red;}
.sanitized p { text-align: center;color: red;}
#sanitzied-id {color:blue}
</style>

This feature cannot be implemented in the applications since StylingPolicy class is a package class.

mehretaban avatar Dec 16 '17 11:12 mehretaban

I have same problem (default, final), not easy to extend 😢 And similar issue with CssSchema/forKey

ggrandes avatar Apr 14 '22 11:04 ggrandes

meanwhile, to avoid fork or having to duplicate 4-5 classes, this is my workaround:

package org.owasp.html;

import com.google.common.base.Function;

public class StylingPolicyBuilder {
	private final CssSchema cssSchema;
	private final Function<String, String> urlRewriter;

	public StylingPolicyBuilder(final CssSchema cssSchema, 
			final Function<String, String> urlRewriter) {
		this.cssSchema = cssSchema;
		this.urlRewriter = urlRewriter;
	}

	public StylingPolicy build() {
		return new StylingPolicy(cssSchema, urlRewriter);
	}
}

package org.owasp.html;

import org.owasp.html.CssSchema.Property;

public class CssSchemaProxy {
	private final CssSchema cssSchema;

	public CssSchemaProxy(final CssSchema cssSchema) {
		this.cssSchema = cssSchema;
	}

	public Property forKey(final String propertyName) {
		return cssSchema.forKey(propertyName);
	}
}

ggrandes avatar Apr 14 '22 15:04 ggrandes

We have the same issue and i want to share out motivation to maybe start a discussion if this should be a general feature and a valueable addition.

Motivation

Since allowStyles defines a global rule, which applies to all elements, we cannot use it to define style rules per element. In our case, we allow, e.g. only color, background-color on span and td , but not on table. On table though, we want to allow width and height, not color, background-color. Basically we have style rules per element.

Idea (how we did it)

Even though the currentl HtmlPolicyBuilder does not allow doing so (which is fine i suppose), one can easily utilized StylePolicy and allowAttributes().matching() to accomplish this very goal

private fun spanRule(): PolicyFactory {
        val stylingPolicy = StylingPolicyBuilder(
                CssSchema.withProperties( listOf("color","background-color") )
            ) { null }
          .build()
        return HtmlPolicyBuilder()
            .allowElements("span")
            .allowAttributes("style") .matching(stylingPolicy) .onElements("span")
            .toFactory()
}

Since StylePolicy already has the right functional interface, it really comes together nicely.

Problem

So what is the problem then? The issue is, that we had to implement StylingPolicyBuilder (as above) using a foreing-package hack, since StylePolicy is package private

Solution

Either offer a builder for StylePolicy which is public or make StylePolicy public itself, if there are no reasons for a builder (as it seems).

I would love to provide a PR for this, including tests, if there is actually any interesting in moving forward with this.

EugenMayer avatar Apr 16 '24 10:04 EugenMayer