java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard
verified publisher icon OWASP

Sanitizing CSS

Open subbudvk opened this issue 1 year ago • 3 comments

  • Why does CSS Sanitization happening with properties in CSSSchema for style attribute is not happening when we do allowTextIn("style") ?
  • If that's intentional, Is there a way to disallow particular property inside style tag for example : background-url?

We can write a preprocessor but i think, CssGrammar where we do sanitization is package specific. Is it a right way to sanitize css in

@mikesamuel @jmanico

subbudvk avatar Feb 07 '24 17:02 subbudvk

@Dashlet26 If I am not wrong customizing CSS Schema doesn't have effect in

subbudvk avatar Mar 23 '24 11:03 subbudvk

Apologies for my previous answer sticking with this one allowStyling() API and its whitelisting they are specially used for style attributes . Customizing CSS Schema may not have an effect in

Dashlet26 avatar Mar 23 '24 15:03 Dashlet26

@Dashlet26 , Sorry but that's the question. I understand allowStyling() is used for attributes and that's why I replied for the earlier suggestion of customizing CSS Schema.

subbudvk avatar Mar 25 '24 01:03 subbudvk