How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer

Question

Is there any way to allow everything in the policy and then I would just .disallow() couple of elements and attributes that I know are causing problems. For example instead of doing "

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements("table", "tr", "td", "href", "body", "th", "font", "button", "input", "select")

i can do

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements(Include all elements)

Note:I don't want to use Antisamy.

score 2 · Answer 1 · answered Nov 20 '18 at 15:03

2

This is not possible as OWASP Java HTML Sanitizer is a white-list filter and not a blaklist filter.

By default the sanitizer disallow all, and you must known what you want to you application to receive.

answered Nov 20 '18 at 15:03

SPoint

582
2
10

pdem · Answer 2 · 2022-05-20T14:07:30.117

the class org.owasp.html.Sanitizers contains a lot of example to include a group of allowed elements.

public final class Sanitizers {
  public static final PolicyFactory FORMATTING = (new HtmlPolicyBuilder()).allowCommonInlineFormattingElements().toFactory();
  public static final PolicyFactory BLOCKS = (new HtmlPolicyBuilder()).allowCommonBlockElements().toFactory();
  public static final PolicyFactory STYLES = (new HtmlPolicyBuilder()).allowStyling().toFactory();
  public static final PolicyFactory LINKS = (new HtmlPolicyBuilder()).allowStandardUrlProtocols().allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks().toFactory();
  // ...etc

You may use it directly or to include all of them, copy it and make your own policy with all of them

public static final PolicyFactory ALL_HTML = (new HtmlPolicyBuilder())
        .allowCommonInlineFormattingElements()
        .allowCommonBlockElements()
        .allowStyling()
        .allowStandardUrlProtocols()
        .allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks()
        .allowElements(new String[]{"table", "tr", "td", "th", "colgroup", "caption", "col", "thead", "tbody", "tfoot"}).allowAttributes(new String[]{"summary"}).onElements(new String[]{"table"}).allowAttributes(new String[]{"align", "valign"}).onElements(new String[]{"table", "tr", "td", "th", "colgroup", "col", "thead", "tbody", "tfoot"}).allowTextIn(new String[]{"table"})
        .toFactory();

How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer

2 Answers2