Prevent StringIndexOutOfBoundsException on empty default rel set

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

854 stars 214 forks source link

Prevent StringIndexOutOfBoundsException on empty default rel set #163

Closed kyle-simmons closed 5 years ago

kyle-simmons commented 5 years ago

When using the HtmlPolicyBuilder, if both noopener and noreferrer are supplied to skipRelsOnLinks, then a StringIndexOutOfBoundsException will get thrown when applying sanitization on elements that have both an href and target. This PR addresses that issue by only attempting to apply rels to the element if we actually have a non-zero set of rels to apply.

Addresses https://github.com/OWASP/java-html-sanitizer/issues/151

kyle-simmons commented 5 years ago

@mikesamuel Could you review this PR and provide feedback on if this is behavior we want to allow? I think regardless a StringIndexOutOfBoundsException is not ideal.

mikesamuel commented 5 years ago

Sorry for the delay. Thanks for the testcase. I think there's a more minimal fix at L1008.

mikesamuel commented 5 years ago

Folded your test and a tweaked fix at https://github.com/OWASP/java-html-sanitizer/commit/83c4ce38014d42709c8262804bba8254dfa2a30c