We have recently migrated the XSS bundle from AntiSamy to the java HTML sanitizer. We have a set of very well defined behaviours that we expect from the output. Since we are defining the behaviour at a very fine level, we ran into problems with the default attribute guards that encode default, non-overrideable behaviours. We worked around it using reflection, but that is unsustainable and will very likely cause troubles for Java 12 and newer, since it's a final field.
We would welcome an option to disable these default attribute guards and would be willing to work on a contribution that provides this option, if acceptable to the maintainers.
We are currently embedding the java-html-sanitizer in our open open source library at https://github.com/apache/sling-org-apache-sling-xss/.
We have recently migrated the XSS bundle from AntiSamy to the java HTML sanitizer. We have a set of very well defined behaviours that we expect from the output. Since we are defining the behaviour at a very fine level, we ran into problems with the default attribute guards that encode default, non-overrideable behaviours. We worked around it using reflection, but that is unsustainable and will very likely cause troubles for Java 12 and newer, since it's a final field.
We would welcome an option to disable these default attribute guards and would be willing to work on a contribution that provides this option, if acceptable to the maintainers.