Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue in 2024x version with styles #331

Open
subbudvk opened this issue Apr 6, 2024 · 2 comments · May be fixed by #334
Open

Issue in 2024x version with styles #331

subbudvk opened this issue Apr 6, 2024 · 2 comments · May be fixed by #334

Comments

@subbudvk
Copy link
Contributor

subbudvk commented Apr 6, 2024

https://github.com/OWASP/java-html-sanitizer/pull/218/files made a breaking change to imply allowAttributes("style").globally(), with this change I believe the CSS Schema based whitelisting is applied automatically even if someone explicitly use allowAttributes() instead of allowStyling()

Though this change is made long back this may not had much impact for users who didn't done whitelisting previously because the change assumed the style would be in the first place of attribute list.

Now with https://github.com/OWASP/java-html-sanitizer/pull/248/files#diff-a27b541fc6864e5b794ba42fc4230501e1fa203e2bd05cf782c52a44b1b4b54d, this change is being forced so whitelisting gets automatically applied.

We understand the use of whitelisting but this cannot be forced immediately to our users as we don't how much of user style is already allowed in CSS Schema.

Can this be an option or be like existing where user have option to use allowStyling() or allowAttributes("style") without forcing this? Let me if you want this to be expressed API wise in different manner but still supporting two behaviours as it used to be, I'll submit a PR for this.

@mikesamuel

@corebonts
Copy link

+1 on this. We cannot update the library because of that "magic" behaviour.

@subbudvk
Copy link
Contributor Author

@mikesamuel : As multiple user face this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants