Fix allowAttributes().globally() (#247)

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

834 stars 209 forks source link

Fix allowAttributes().globally() (#247) #248

Closed mymhealthltd-joshengland closed 5 months ago

mymhealthltd-joshengland commented 2 years ago

Add guard to .globally() method of HtmlPolicyBuilder to prevent ArrayOutOfBoundsException when checking to see if the zeroth element of the attributeNames list contains 'style'.

This restores behaviour present in version 202180219.1 which allowed for an empty allowed attributes names list to be specified globally through the builder.

mikesamuel commented 2 years ago

Thanks for the bug and the fix.

mikesamuel commented 5 months ago

Fixes #300