allowAttributes("style").globally() shouldn't imply allowStyling() - Regression with 2024 version

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

833 stars 210 forks source link

Open subbudvk opened 3 months ago

subbudvk commented 3 months ago

This recent breaking changes

Forces validating global style content with CSSSchema - Earlier we had better options seperately allowAttributes("style").globally() - doesn't sanitize, allowStyling() - did sanitize.
make disallowAttribute("style").globally() now does allowStyling() as pointed out in the PR by someone.

@mikesamuel @jmanico : Can you kindly have a look as we are facing issues after 2024 version upgrade.

subbudvk commented 2 months ago

@mikesamuel

csware commented 2 months ago

Please also add test cases for the cases that must not happen.

subbudvk commented 1 month ago

@mikesamuel