Overflow is sanitized

[Butanium]

Hello, the codingame game engine which allow people to create games for its platform use your sanitizer on the game documentation.
When I tried to implement some overflow on tables, it got sanitized. The game engine principal contributor told me that he allowed everything he could and that he didn't know your sanitizer would delete overflows.

Is this possible to allow them ?

Here is the part of their code where they sanitize the game statement, and here is the part of my html page including the overflow :

             <div style="overflow-x:auto;">

                <table class="tableizer-table" ;>
                    <thead>
                    <tr class="tableizer-firstrow" ;>
                        <th>Bot class</th>
                        <th>Damage per bullet</th>
                        <th>Bullet per shot</th>
                        <th>Aim duration (frame)</th>
                        <th>Shot duration (frame)</th>
                        <th>Precision short range</th>
                        <th>Precision mid range</th>
                        <th>Precision long range</th>
                        <th>Speed</th>
                        <th>Health</th>
                        <th>Shield</th>
                    </tr>
                    </thead>
                    <tbody>
                    <tr align="center" ;>
                        <td>Assault</td>
                        <td>300</td>
                        <td>3</td>
                        <td>4</td>
                        <td>2</td>
                        <td>95%</td>
                        <td>55%</td>
                        <td>15%</td>
                        <td>1.2</td>
                        <td>5000</td>
                        <td>3000</td>
                    </tr>
                    </tbody>
                </table>
            </div>

[mikesamuel]

What do you mean by "overflows?" Are you talking about the CSS overflow-x properties?

[mikesamuel]

Or do the semicolons inside your HTML tags relate to your question?

[Butanium]

Hello, the overflow-x properties

[mikesamuel]

I believe overflow-x is recognized by the CSS property validator.

java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java

Lines 421 to 426 in e2b29e8

	ImmutableSet<String> overflowLiterals0 = ImmutableSet.of(
	"auto", "hidden", "inherit", "scroll", "visible");
	ImmutableSet<String> overflowXLiterals0 = ImmutableSet.of(
	"no-content", "no-display");
	ImmutableSet<String> overflowXLiterals1 = ImmutableSet.of(
	"auto", "hidden", "scroll", "visible");

[Butanium]

Thanks for your answer !

How do you add them to the PolicyFactory as it's done for TABLES etc ?

[Butanium]

If I import org.owasp.html.CssSchema and add

.and(CssSchema.DEFINITIONS)

at this line of code will it works ?

[CGjupoulton]

no :/

[csware]

Add this to your policy to explicitly allow this property (with values as defined in CssSchema):
.allowStyling(CssSchema.withProperties(List.of("overflow-x")))