Open kocakosm opened 1 year ago
You can see this behaviour in this sample project.
Empty span
is dropped, because it is part on DEFAULT_SKIP_IF_EMPTY
.
You need to allow it using allowWithoutAttributes
. cf. https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java#L712-L723
Hi,
<span>
elements get removed by the sanitizer even when they are allowed by the policy.For instance I'd expect the following code :
to return
<span>Hi!</span>
instead ofHi!
.The exact same behaviour can be observed with a custom policy :
returns
Hi!
instead of<span>Hi!</span>
.Also, note that other HTML5 inline formatting elements (such as
b
,i
,s
,u
,sup
,sub
,ins
,del
,strong
,code
,small
andem
) are not affected by this "bug".Thanks for your help.