'How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer

Is there any way to allow everything in the policy and then I would just .disallow() couple of elements and attributes that I know are causing problems. For example instead of doing "

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements("table", "tr", "td", "href", "body", "th", "font", "button", "input", "select")

i can do

 PolicyFactory policy = new HtmlPolicyBuilder()
                .allowElements(Include all elements)

Note:I don't want to use Antisamy.

htmlowaspantisamyjavascriptnode.jsdatabasemongodbexpress


Solution 1:[1]

This is not possible as OWASP Java HTML Sanitizer is a white-list filter and not a blaklist filter.

By default the sanitizer disallow all, and you must known what you want to you application to receive.

Solution 2:[2]

the class org.owasp.html.Sanitizers contains a lot of example to include a group of allowed elements.

public final class Sanitizers {
  public static final PolicyFactory FORMATTING = (new HtmlPolicyBuilder()).allowCommonInlineFormattingElements().toFactory();
  public static final PolicyFactory BLOCKS = (new HtmlPolicyBuilder()).allowCommonBlockElements().toFactory();
  public static final PolicyFactory STYLES = (new HtmlPolicyBuilder()).allowStyling().toFactory();
  public static final PolicyFactory LINKS = (new HtmlPolicyBuilder()).allowStandardUrlProtocols().allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks().toFactory();
  // ...etc

You may use it directly or to include all of them, copy it and make your own policy with all of them

public static final PolicyFactory ALL_HTML = (new HtmlPolicyBuilder())
        .allowCommonInlineFormattingElements()
        .allowCommonBlockElements()
        .allowStyling()
        .allowStandardUrlProtocols()
        .allowElements(new String[]{"a"}).allowAttributes(new String[]{"href"}).onElements(new String[]{"a"}).requireRelNofollowOnLinks()
        .allowElements(new String[]{"table", "tr", "td", "th", "colgroup", "caption", "col", "thead", "tbody", "tfoot"}).allowAttributes(new String[]{"summary"}).onElements(new String[]{"table"}).allowAttributes(new String[]{"align", "valign"}).onElements(new String[]{"table", "tr", "td", "th", "colgroup", "col", "thead", "tbody", "tfoot"}).allowTextIn(new String[]{"table"})
        .toFactory();

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 SPoint
Solution 2

Related Questions

How do I return a list of all column titles in a table in SQLite? [duplicate]

How do I return a list of all column titles in a table in SQLite? [duplicate]

How do I return a list of all column titles in a table in SQLite? [duplicate]

What's the difference between " = null" and " IS NULL"?

SQLite extension in VSCode not showing tables

SQLite extension in VSCode not showing tables

What's the difference between " = null" and " IS NULL"?

SQLite extension in VSCode not showing tables

Get specific row col values from mysql using vb 2012

How to connect SQL Server with Rstudio?

MySQL Query error using UNION/UNION ALL and Group By

django.core.exceptions.ValidationError: ['“” value must be a decimal number.']

recursive tree as a list (array items) in a new attribute value child

Warning: sqlite_query() expects parameter 1 to be resource, string given

How to convert XML columns to rows in SQL database?