From 2901ef0d36ada245ba81d1e063e4b1388da2e60c Mon Sep 17 00:00:00 2001 From: Sven Strickroth Date: Fri, 2 Feb 2024 17:48:55 +0100 Subject: [PATCH] Fix repeatedly adding rel values (#307) * Don't allow duplicates in rel attribute for links Signed-off-by: Sven Strickroth * Use lower case link rel attribute words --------- Signed-off-by: Sven Strickroth Co-authored-by: Mike Samuel --- .../org/owasp/html/HtmlPolicyBuilder.java | 11 ++++---- .../org/owasp/html/HtmlPolicyBuilderTest.java | 25 +++++++++++++++++++ 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java index bae6d13e..d98ffa98 100644 --- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java +++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java @@ -1045,12 +1045,11 @@ public String apply(String elementName, List attrs) { for (int i = 0; i <= n; ++i) { if (i == n || Strings.isHtmlSpace(rels.charAt(i))) { if (left < i) { - if (skip.isEmpty() - || !skip.contains( - Strings.toLowerCase(rels.substring(left, i)))) { - String rel = rels.substring(left, i); - present.add(rel); - sb.append(rel).append(' '); + final String rel = rels.substring(left, i); + final String lowerCaseRel = Strings.toLowerCase(rel); + if ((skip.isEmpty() || !skip.contains(lowerCaseRel)) && !present.contains(lowerCaseRel)) { + present.add(lowerCaseRel); + sb.append(lowerCaseRel).append(' '); } } left = i + 1; diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java index e7e6616f..0f49540f 100644 --- a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java +++ b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java @@ -924,6 +924,31 @@ public final void testRelLinksWhenRelIsPartOfData() { assertEquals(toSanitize, pf.sanitize(toSanitize)); } + @Test + public static final void testRelLinksWithDuplicateRels() { + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("a") + .allowAttributes("href").onElements("a") + .allowAttributes("rel").onElements("a") + .allowAttributes("target").onElements("a") + .allowStandardUrlProtocols() + .toFactory(); + assertEquals("test", pf.sanitize("test")); + } + + @Test + public static final void testRelLinksWithDuplicateRelsRequired() { + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("a") + .allowAttributes("href").onElements("a") + .allowAttributes("rel").onElements("a") + .allowAttributes("target").onElements("a") + .allowStandardUrlProtocols() + .requireRelsOnLinks("noreferrer") + .toFactory(); + assertEquals("test", pf.sanitize("test")); + } + @Test public static final void testFailFastOnSpaceSeparatedStrings() { boolean failed;