java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard
verified publisher icon OWASP

Comments don't get removed if inside curly brackets

Open matthiasunt opened this issue 4 years ago • 1 comments

I noticed that comments are not removed if they are placed inside curly brackets.

Example

PolicyFactory policy = new HtmlPolicyBuilder().allowElements("p").toFactory();

String unsanitized = "<p>{<!-- -->}</p>";
String sanitized = policy.sanitize(unsanitized);
String expected = "<p>{}</p>";
System.out.println("Expected: " + expected + "\nActual: " + sanitized);

The above code prints:

Expected: <p>{}</p>
Actual: <p>{<!-- -->}</p>

This also happens, if the brackets and comment are not nested inside a paragraph element (e.g. {<!-- -->}). Surprisingly, the comments is removed if there is a whitespace between bracket and comment (e.g. {<!-- -->}).

matthiasunt avatar Nov 29 '21 12:11 matthiasunt

This must be linked to: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md#escaping-of-sensitive-constructs

In your example the comments could indeed be removed still fulfilling the escaping of sensitive constructs rule.

vanwobe avatar Dec 09 '21 14:12 vanwobe