You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/OWASP/java-html-sanitizer/pull/218/files made a breaking change to imply allowAttributes("style").globally(), with this change I believe the CSS Schema based whitelisting is applied automatically even if someone explicitly use allowAttributes() instead of allowStyling()
Though this change is made long back this may not had much impact for users who didn't done whitelisting previously because the change assumed the style would be in the first place of attribute list.
We understand the use of whitelisting but this cannot be forced immediately to our users as we don't how much of user style is already allowed in CSS Schema.
Can this be an option or be like existing where user have option to use allowStyling() or allowAttributes("style") without forcing this? Let me if you want this to be expressed API wise in different manner but still supporting two behaviours as it used to be, I'll submit a PR for this.
https://github.com/OWASP/java-html-sanitizer/pull/218/files made a breaking change to imply allowAttributes("style").globally(), with this change I believe the CSS Schema based whitelisting is applied automatically even if someone explicitly use allowAttributes() instead of allowStyling()
Though this change is made long back this may not had much impact for users who didn't done whitelisting previously because the change assumed the style would be in the first place of attribute list.
Now with https://github.com/OWASP/java-html-sanitizer/pull/248/files#diff-a27b541fc6864e5b794ba42fc4230501e1fa203e2bd05cf782c52a44b1b4b54d, this change is being forced so whitelisting gets automatically applied.
We understand the use of whitelisting but this cannot be forced immediately to our users as we don't how much of user style is already allowed in CSS Schema.
Can this be an option or be like existing where user have option to use allowStyling() or allowAttributes("style") without forcing this? Let me if you want this to be expressed API wise in different manner but still supporting two behaviours as it used to be, I'll submit a PR for this.
@mikesamuel
The text was updated successfully, but these errors were encountered: