word-break in style is discarded because it is not considered a valid value in CSSSchema

[mrabhishek]

input:

<div>
<table>
<td style="word-break: keep-all;">
</td>
</table>
</div>

policy: Sanitizers.BLOCKS .and(Sanitizers.FORMATTING) .and(Sanitizers.LINKS) .and(Sanitizers.TABLES) .and(Sanitizers.IMAGES) .and(Sanitizers.STYLES) .and(.and(new HtmlPolicyBuilder() .allowElements("style") .allowAttributes("style").onElements("td", "table","div") .allowAttributes("type", "word-break").onElements("style") .toFactory());

Expected output (should contain word-break).

<div>
<table>
<td style="word-break: keep-all;">
</td>
</table>
</div>

[juanmacoo]

word-wrap does not have any similar behaviour to the property break-all. Is there a reason it is not included in the allowed attributes?

[mrabhishek]

How do we get an answer for this one? It does not look like the default Style policy can be overridden - If not, then it means that there is no way to provide a custom CSS schema that can allow elements like word-break and display that are not part of the default CSS schema.

Looking for some explanation on why display is part of CSS definitions but not in the default schema that is used in Style,

https://github.com/OWASP/java-html-sanitizer/blob/main/src/main/java/org/owasp/html/CssSchema.java#L593

[csware]

CSS properties defined in CssSchema but not on the default list can be allowed by adding: .allowStyling(CssSchema.withProperties(List.of("word-break")))

The default CSS definitions can also be overwritten (inprinciple, but currently it does not work because of issue #313), by adding the following code to the HTMLPolicyBuilder:

              .allowStyling(
                  CssSchema.withProperties(
                      Map.of("word-break",
                          new CssSchema.Property(0,
                              Set.of("keep-all", "valid-values"),
                              Collections.emptyMap()))))