-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify policies that require constraints on a URL based on its protocol #22
Comments
Bump to revisit. |
I would love an abbreviation for this, too. Could you please help me out getting this to work: private static final PolicyFactory htmlSanitizer = new HtmlPolicyBuilder()
.allowUrlProtocols("data", "https", "http", "mailto")
.allowAttributes("src")
.matching(Pattern.compile("^(data:image/(gif|png|jpeg)[,;]|http|https|mailto|//)", Pattern.CASE_INSENSITIVE))
.onElements("img")
.toFactory()
.and(Sanitizers.IMAGES)
.and(Sanitizers.BLOCKS);
public static void main(String[] args) {
System.out.println(HtmlSanitize("<img src=\"data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o\" /><p>test</p>"));
} I get |
Got it to work: private static final PolicyFactory htmlImageSanitizer = new HtmlPolicyBuilder()
.allowUrlProtocols("data", "http", "https")
.allowElements("img")
.allowAttributes("src")
.matching(Pattern.compile("^(data:image/(gif|png|jpeg)[,;]|http|https|mailto|//).+", Pattern.CASE_INSENSITIVE))
.onElements("img")
.toFactory();
private static final PolicyFactory htmlSanitizer = htmlImageSanitizer.and(Sanitizers.BLOCKS).and(Sanitizers.FORMATTING).and(Sanitizers.LINKS).and(Sanitizers.STYLES).and(Sanitizers.TABLES); |
Your solution seems complicated but the API doesn't obviously allow for a better way, so it's probably the API's fault. There seem to be some separable concerns here:
I think the first problem is a symptom of a larger problem: it's hard to match URLs. allowAttributes("src")
.matchingUrls(...)
.onElements("img") where the ... encapsulates (http, https, or data with content-type in image/(gif|png|jpeg)). What do you think of https://gist.github.com/mikesamuel/e9720a0acc0601372deba3bf0896f33a as a proposed API for solving the larger problem? Note to self: I'm finding excuses to write specifications, so I should probably figure out what work I'm subconsciously avoiding and do it. |
Your API would be great at this point and definitely its implementation would be worth the effort. |
https://github.com/OWASP/url-classifier is an experimental URL classifier API based on that gist. #126 integrates it into java-html-sanitizer. Neither is ready for prime-time yet, but you can play around. |
Original issue reported on code.google.com by
[email protected]
on 21 Jan 2014 at 4:09The text was updated successfully, but these errors were encountered: