search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
834 stars 209 forks source link

Array out of bounds exception on HtmlPolicyBuilder initialization #247

Open mymhealthltd-joshengland opened 2 years ago

mymhealthltd-joshengland commented 2 years ago

Constructing a HtmlPolicyBuilder zero-defined global attributes, globally, leads to an Arry out of bounds exception

Here is sample code that produces the problem

new HtmlPolicyBuilder().allowElements().allowAttributes().globally().toFactory();

The exception comes form an un-guarded check on the zeroth element of the attributesNames list. In this situation, attribute names is empty and so has no zeroth element.

    public HtmlPolicyBuilder globally() {
      if(attributeNames.get(0).equals("style")) {
        return allowStyling();
      } else {
        return HtmlPolicyBuilder.this.allowAttributesGlobally(
            policy, attributeNames);
      }
    }

This construction used to work in version 20180219.1 of this library but is broken in 20211018.2.