add tag in safeName method in HtmlStreamRenderer

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

851 stars 214 forks source link

I organized the guide to use a different tag(reference is MDN)

<frame> -> <iframe> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame

<applet> -> <object> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/applet

<basefont> -> <font> (but font is obsolete too) https://developer.mozilla.org/en-US/docs/Web/HTML/Element/basefont

<acronym> -> <abbr> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/acronym

<strike> -> <del> or <s> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/strike

<tt> -> <code>, <kbd>, <samp>, <var> or <pre> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/tt

<command> -> <menuitem> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/command

<dir> -> <ul> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dir

@mikesamuel

sub compatibility will be broken. The tags that were well expressed before are changed. But I think it is right to change because HTML is updated. How about you?
basefont and strike and tt tags are difficult to decide.

  static String safeName(String unsafeElementName) {
    String elementName = HtmlLexer.canonicalName(unsafeElementName);

    // Substitute a reliably non-raw-text element for raw-text and
    // plain-text elements.
    switch (elementName.length()) {
      case 3:
        if ("xmp".equals(elementName)) { return "pre"; }
        if ("dir".equals(elementName)) { return "ul"; }
        break;
      case 5:
        if ("frame".equals(elementName)) { return "iframe"; }
        break;
      case 6:
        if ("applet".equals(elementName)) { return "object"; }
        break;
      case 7:
        if ("listing".equals(elementName)) { return "pre"; }
        if ("acronym".equals(elementName)) { return "abbr"; }
        if ("command".equals(elementName)) { return "menuitem"; }
        break;
      case 9:
        if ("plaintext".equals(elementName)) { return "pre"; }
        break;
    }
    return elementName;
  }

You are one of the first volunteers to dig so deeply into Mikes parser code. You should be proud. Thank you!

-- Jim Manico @Manicode

On Jun 4, 2020, at 3:54 AM, yangbongsoo notifications@github.com wrote:

I organized the guide to use a different tag(reference is MDN)
-> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame <applet> -> <object> https://developer.mozilla.org/ko/docs/Web/HTML/Element/applet <basefont> -> <font> (but font is obsolete too) https://developer.mozilla.org/ko/docs/Web/HTML/Element/basefont <acronym> -> <abbr> https://developer.mozilla.org/ko/docs/Web/HTML/Element/acronym <strike> -> <del> or <s> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/strike <tt> -> <code>, <kbd>, <samp>, <var> or <pre> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/tt <command> -> <menuitem> https://developer.mozilla.org/ko/docs/Web/HTML/Element/command <dir> -> <ul> https://developer.mozilla.org/ko/docs/Web/HTML/Element/dir — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yangbongsoo"><img src="https://avatars.githubusercontent.com/u/7060510?v=4" />yangbongsoo</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>@jmanico thank you. our team(in corporation) decide to use sanitizer. But I want to contribute to continuous development on sanitizer, not just use. I think this is truly open source value.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yangbongsoo"><img src="https://avatars.githubusercontent.com/u/7060510?v=4" />yangbongsoo</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>in addition, below tags received warning by MDN.</p> <p><code>frameset</code> : Deprecated. no longer recommended. <code>keygen</code> : Obsolete. try to avoid using it <code>big</code> : Obsolete. try to avoid using it <code>noframes</code> : Obsolete. try to avoid using it <code>isindex</code> : Obsolete. try to avoid using it(all browser compatibility none)</p> <p>but MDN doesn't guide to use other tags.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

OWASP / java-html-sanitizer

add tag in safeName method in HtmlStreamRenderer #203