search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
833 stars 210 forks source link

Overflow is sanitized #236

Open Butanium opened 2 years ago

Butanium commented 2 years ago

Hello, the codingame game engine which allow people to create games for its platform use your sanitizer on the game documentation. When I tried to implement some overflow on tables, it got sanitized. The game engine principal contributor told me that he allowed everything he could and that he didn't know your sanitizer would delete overflows.

Is this possible to allow them ?

Here is the part of their code where they sanitize the game statement, and here is the part of my html page including the overflow : 

             <div style="overflow-x:auto;">

                <table class="tableizer-table" ;>
                    <thead>
                    <tr class="tableizer-firstrow" ;>
                        <th>Bot class</th>
                        <th>Damage per bullet</th>
                        <th>Bullet per shot</th>
                        <th>Aim duration (frame)</th>
                        <th>Shot duration (frame)</th>
                        <th>Precision short range</th>
                        <th>Precision mid range</th>
                        <th>Precision long range</th>
                        <th>Speed</th>
                        <th>Health</th>
                        <th>Shield</th>
                    </tr>
                    </thead>
                    <tbody>
                    <tr align="center" ;>
                        <td>Assault</td>
                        <td>300</td>
                        <td>3</td>
                        <td>4</td>
                        <td>2</td>
                        <td>95%</td>
                        <td>55%</td>
                        <td>15%</td>
                        <td>1.2</td>
                        <td>5000</td>
                        <td>3000</td>
                    </tr>
                    </tbody>
                </table>
            </div>
mikesamuel commented 2 years ago

What do you mean by "overflows?" Are you talking about the CSS overflow-x properties?

mikesamuel commented 2 years ago

Or do the semicolons inside your HTML tags relate to your question?

Butanium commented 2 years ago

Hello, the overflow-x properties

mikesamuel commented 2 years ago

I believe overflow-x is recognized by the CSS property validator.

https://github.com/OWASP/java-html-sanitizer/blob/e2b29e803c4f7ea225f569d18b3b1356d8e5bf3d/src/main/java/org/owasp/html/CssSchema.java#L421-L426

Butanium commented 2 years ago

Thanks for your answer !

How do you add them to the PolicyFactory as it's done for TABLES etc ?

Butanium commented 2 years ago

If I import org.owasp.html.CssSchema and add

.and(CssSchema.DEFINITIONS)

at this line of code will it works ?

CGjupoulton commented 2 years ago

no :/

csware commented 5 months ago

Add this to your policy to explicitly allow this property (with values as defined in CssSchema): .allowStyling(CssSchema.withProperties(List.of("overflow-x")))