diff --git a/src/main/java/org/owasp/html/CssSchema.java b/src/main/java/org/owasp/html/CssSchema.java index b9c6ae64..6d8e68e2 100644 --- a/src/main/java/org/owasp/html/CssSchema.java +++ b/src/main/java/org/owasp/html/CssSchema.java @@ -164,15 +164,16 @@ public static CssSchema withProperties( Map propertyMap = new HashMap<>(); // check that all fnKeys are defined in properties. - for (Map.Entry e : propertyMap.entrySet()) { + for (Map.Entry e : properties.entrySet()) { Property property = e.getValue(); for (String fnKey : property.fnKeys.values()) { - if (!propertyMap.containsKey(fnKey)) { + if (!properties.containsKey(fnKey)) { throw new IllegalArgumentException( "Property map is not self contained. " + e.getValue() + " depends on undefined function key " + fnKey); } } + propertyMap.put(e.getKey(), e.getValue()); } return new CssSchema(Map.copyOf(propertyMap)); } diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java index 746a1017..e7e6616f 100644 --- a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java +++ b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java @@ -29,8 +29,10 @@ package org.owasp.html; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.Locale; +import java.util.Map; import java.util.Set; import java.util.regex.Pattern; import java.util.stream.Collectors; @@ -250,7 +252,31 @@ public void testSpecificStyleFilterung() { } @Test - public void testUnionStyleFilterung() { + public void testCustomPropertyStyleFiltering() { + assertEquals( + Arrays.stream(new String[] { + "

Header

", + "

Paragraph 1

", + "

Click me out

", + "

", + "

Fancy with soupy tags.", + "

Stylish Para 1

", + "

Stylish Para 2

", + ""}).collect(Collectors.joining("\n")), + apply(new HtmlPolicyBuilder() + .allowCommonInlineFormattingElements() + .allowCommonBlockElements() + .allowStyling( + CssSchema.withProperties( + Map.of("text-align", + new CssSchema.Property(0, + Set.of("center"), + Collections.emptyMap())))) + .allowStandardUrlProtocols())); + } + + @Test + public void testUnionStyleFiltering() { assertEquals( Arrays.stream(new String[] { "

Header

", @@ -271,6 +297,30 @@ public void testUnionStyleFilterung() { .allowStandardUrlProtocols())); } + @Test + public void testCustomPropertyStyleFilteringDisallowed() { + assertEquals( + Arrays.stream(new String[] { + "

Header

", + "

Paragraph 1

", + "

Click me out

", + "

", + "

Fancy with soupy tags.", + "

Stylish Para 1

", + "

Stylish Para 2

", + ""}).collect(Collectors.joining("\n")), + apply(new HtmlPolicyBuilder() + .allowCommonInlineFormattingElements() + .allowCommonBlockElements() + .allowStyling( + CssSchema.withProperties( + Map.of("text-align", + new CssSchema.Property(0, + Set.of("left", "right"), + Collections.emptyMap())))) + .allowStandardUrlProtocols())); + } + @Test public static final void testElementTransforming() { assertEquals(