TechQA.

How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer

1.5k views Asked by At

Is there any way to allow everything in the policy and then I would just .disallow() couple of elements and attributes that I know are causing problems. For example instead of doing "

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements("table", "tr", "td", "href", "body", "th", "font", "button", "input", "select")

i can do

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements(Include all elements)

Note:I don't want to use Antisamy.

html owasp antisamy
Original Q&A
2

There are 2 answers

0
SPoint On

This is not possible as OWASP Java HTML Sanitizer is a white-list filter and not a blaklist filter.

By default the sanitizer disallow all, and you must known what you want to you application to receive.

0
pdem On

the class org.owasp.html.Sanitizers contains a lot of example to include a group of allowed elements.

public final class Sanitizers {
  public static final PolicyFactory FORMATTING = (new HtmlPolicyBuilder()).allowCommonInlineFormattingElements().toFactory();
  public static final PolicyFactory BLOCKS = (new HtmlPolicyBuilder()).allowCommonBlockElements().toFactory();
  public static final PolicyFactory STYLES = (new HtmlPolicyBuilder()).allowStyling().toFactory();
  public static final PolicyFactory LINKS = (new HtmlPolicyBuilder()).allowStandardUrlProtocols().allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks().toFactory();
  // ...etc

You may use it directly or to include all of them, copy it and make your own policy with all of them

public static final PolicyFactory ALL_HTML = (new HtmlPolicyBuilder())
        .allowCommonInlineFormattingElements()
        .allowCommonBlockElements()
        .allowStyling()
        .allowStandardUrlProtocols()
        .allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks()
        .allowElements(new String[]{"table", "tr", "td", "th", "colgroup", "caption", "col", "thead", "tbody", "tfoot"}).allowAttributes(new String[]{"summary"}).onElements(new String[]{"table"}).allowAttributes(new String[]{"align", "valign"}).onElements(new String[]{"table", "tr", "td", "th", "colgroup", "col", "thead", "tbody", "tfoot"}).allowTextIn(new String[]{"table"})
        .toFactory();

Related Questions in HTML

Related Questions in OWASP

Related Questions in ANTISAMY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions