Skip to content

Do not ignore attributes allowed globally together with 'style' (#237)#238

Open
corebonts wants to merge 3 commits intoOWASP:mainfrom
corebonts:237
Open

Do not ignore attributes allowed globally together with 'style' (#237)#238
corebonts wants to merge 3 commits intoOWASP:mainfrom
corebonts:237

Conversation

@corebonts
Copy link

@corebonts corebonts commented Oct 27, 2021

Also, allowStyling() internally allows the 'style' attribute, so it is not necessary to ignore it.

Gabor Garancsi added 2 commits October 27, 2021 18:09
Do not ignore attributes allowed globally together with 'style' (OWAS…
b493617 
…P#237)

Also, allowStyling() internally allows the 'style' attribute, so it is not
necessary to ignore it.
Allow custom policies for 'style' attribute
f1541bf
@mikesamuel
Copy link
Contributor

mikesamuel commented Nov 5, 2021

Thanks for adding a testcase. The check for style as the zero-th element seems good to change, but what prompted this?

Instead of using null for the policy, and checking == null, can we check for the identity policy? My vague recollection was that .join was pretty good about just returning x when joining x with the identity policy.

@corebonts
Copy link
Author

corebonts commented Nov 10, 2021

First, thanks for reviewing it.
But sorry, it's not clear, what prompted what? The change that calls allowStyling() when "style" property is allowed or the change that uses now the contains check instead of the zero-th element check?

For the first, I don't know, it's someone else's change and I don't know the reason behind it. For me it also feels a bit magical.
For the latter one, we had failing tests in our product when we updated to the latest sanitizer.

And for your comment about the nullcheck, you're right, I will change that.

mikesamuel
mikesamuel reviewed Jan 15, 2024
View reviewed changes
src/main/java/org/owasp/html/HtmlPolicyBuilder.java
this.policy = attrPolicy;
} else {
this.policy = AttributePolicy.Util.join(this.policy, attrPolicy);
}
Copy link
Contributor

@mikesamuel mikesamuel Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does https://github.com/OWASP/java-html-sanitizer/pull/248/files#diff-a27b541fc6864e5b794ba42fc4230501e1fa203e2bd05cf782c52a44b1b4b54d in another PR fix this?

@aalmiray aalmiray force-pushed the main branch 6 times, most recently from 9bb458a to f40152f Compare January 3, 2026 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikesamuel mikesamuel mikesamuel left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@corebonts @mikesamuel