search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
833 stars 210 forks source link

text-align literals are outdated #340

Open DeepSnowNeeL opened 1 month ago

DeepSnowNeeL commented 1 month ago

On CssSchema (https://github.com/OWASP/java-html-sanitizer/blob/f729a089b20aef49ed9ffd7ed1c7e207eee71dc5/owasp-java-html-sanitizer/src/main/java/org/owasp/html/CssSchema.java#L714)

 Property textAlign = new Property(0, union(azimuthLiterals1, textAlignLiterals0), zeroFns);
        builder.put("text-align", textAlign);

The text-align possible values are (https://developer.mozilla.org/en-US/docs/Web/CSS/text-align ) : 

text-align: start;
text-align: end;
text-align: left;
text-align: right;
text-align: center;
text-align: justify;
text-align: justify-all;
text-align: match-parent;

/* Block alignment values (Non-standard syntax) */
text-align: -moz-center;
text-align: -webkit-center;

/* Global values */
text-align: inherit;
text-align: initial;
text-align: revert;
text-align: revert-layer;
text-align: unset;

And only 5 of them are kept when sanitizing right now : left, right, center, inherit, justify

I did a dirty hack for the moment to cover my needs: 

try {
        CssSchema cssSchema = CssSchema.DEFAULT;
    Method forKey = cssSchema.getClass().getDeclaredMethod("forKey", String.class);
    forKey.setAccessible(true);
    CssSchema.Property p = (CssSchema.Property) forKey.invoke(union, "text-align");
    Field literalsField = p.getClass().getDeclaredField("literals");
    literalsField.setAccessible(true);
    Set<String> literals = new HashSet<>((Set<String>) literalsField.get(p));
    literals.add("start");
    literals.add("end");
    literalsField.set(p, literals);
} catch (Exception e) {
    ...
}

The literals of other css properties might be outdated too, I didn't check but it might be needed to review all of them.