search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
851 stars 214 forks source link

Comments don't get removed if inside curly brackets #239

Open matthiasunt opened 2 years ago

matthiasunt commented 2 years ago

I noticed that comments are not removed if they are placed inside curly brackets.

Example

PolicyFactory policy = new HtmlPolicyBuilder().allowElements("p").toFactory();

String unsanitized = "<p>{<!-- -->}</p>";
String sanitized = policy.sanitize(unsanitized);
String expected = "<p>{}</p>";
System.out.println("Expected: " + expected + "\nActual: " + sanitized);

The above code prints:

Expected: <p>{}</p>
Actual: <p>{<!-- -->}</p>

This also happens, if the brackets and comment are not nested inside a paragraph element (e.g. {<!-- -->}). Surprisingly, the comments is removed if there is a whitespace between bracket and comment (e.g. {<!-- -->}).

vanwobe commented 2 years ago

This must be linked to: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md#escaping-of-sensitive-constructs

In your example the comments could indeed be removed still fulfilling the escaping of sensitive constructs rule.