search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
834 stars 209 forks source link

bug: closing tag for </html> misplaced #285

Open woodpexer opened 1 year ago

woodpexer commented 1 year ago

issue is

The following block is my input:

<html><hr><br><div style="font-weight:bold;">aaaaaaaa</div>
<div>bbbbbbbbb.</div>
<div>dddddddddd <u>dddd</u> ddddd</div>
</html>

And the following is my output:

<html></html><hr /><br /><div style="font-weight:bold">aaaaaaaa</div>
<div>bbbbbbbbb.</div>
<div>dddddddddd <u>dddd</u> ddddd</div>

Bug

As can be seen at the end of my input the closing tag is being moved by the sanitizer right to its starting tag in the output.

This is my policy

new HtmlPolicyBuilder()
            .allowStandardUrlProtocols()
            .allowElements("a", "hr", "br", "div", "u")
            .allowElements("html")
            .allowStyling()
            .toFactory();

not part of the issue

Just by the way: is it possible to turn off the conversion of single opened tags into closed tags like for example:

Kind regards

Jagannathmaity110 commented 7 months ago

Can I work on this issue??