OWASP HTML Sanitizer clears comments

Question

OWASP HTML Sanitizer clears comments

I have an application in which the client can store the following html strings for loading different styles for the actual browser:

<!--[if IE 6]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie6.css"><![endif]--> <!--[if IE 7]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie7.css"><![endif]--> <!--[if IE 8]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie8.css"><![endif]-->

I also set up an OWASP policy to ban malicious html tags as follows:

 new HtmlPolicyBuilder().allowElements("link").allowAttributes("rel", "type", "media", "href").onElements("link").toFactory();

But after removing sanitation if browser lines .

Could you suggest how to configure the policy to allow the storage of such content?

+6

java html xss owasp html-sanitizing

fashuser Nov 25 '16 at 8:33

source share

1 answer

Ben-jd · Answer 1 · 2017-01-17T02:20:20+0000

Cannot configure the OWASP Sanitizer receiver to receive these tags. Instead, you can use an HTML parser, such as JSoup, to extract these lines before santizing, and then add them back.

OWASP HTML Sanitizer clears comments

More articles: