OWASP HTML Sanitizer cleans comments

Question

I have application where customer can store following html lines in order to load different styles for actual browser:

<!--[if IE 6]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie6.css"><![endif]--> 
<!--[if IE 7]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie7.css"><![endif]--> 
<!--[if IE 8]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie8.css"><![endif]-->

Also I've configured OWASP policy to disallow malicious html tags in following way:

new HtmlPolicyBuilder().allowElements("link").allowAttributes("rel", "type", "media", "href").onElements("link").toFactory();

But after sanitation if browser lines are dropped.

Could you please suggest how to configure policy in order to allow storing such content?

score 2 · Answer 1 · answered Jan 17 '17 at 02:20

2

The OWASP Sanitizer can not be configured to accept these tags. Instead you could use a HTML parser like JSoup to extract these lines before santizing, then add them back in afterwards.

answered Jan 17 '17 at 02:20

Ben-JD

96
5

score 1 · Answer 2 · answered Nov 08 '18 at 17:25

1

There is Issue #1532: Allow comments to be preserved in HTML. Until that feature request, or a similar one, is completed, this is not possible with the HTML sanitizer.

answered Nov 08 '18 at 17:25

Thunderforge

19,637
18
83
130

OWASP HTML Sanitizer cleans comments

2 Answers2