Configuring exclusions for `Encode.forHtml()`

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

https://owasp.org/www-project-java-encoder/

BSD 3-Clause "New" or "Revised" License

483 stars 112 forks source link

Configuring exclusions for `Encode.forHtml()` #38

Closed sgsvnk closed 3 years ago

sgsvnk commented 4 years ago

I'm trying to exclude a few HTML tags from getting encoded through Encode.forHtml(). If I understand correctly, the encoder encodes all HTML tags within HTML contexts. Can you please help me understand if I can configure the encoder to exclude a list of HTML tags?

jeremylong commented 3 years ago

Sorry for the delayed reply. It sounds like you are looking more for something like an HTML sanitizer like DOM Purify - https://github.com/cure53/DOMPurify

sgsvnk commented 3 years ago

I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.

kwwall commented 3 years ago

Alternately instead of DOMPurify, you could also use either OWASP HTML Sanitizer https://github.com/OWASP/java-html-sanitizer or OWASP AntiSamy https://github.com/nahsra/antisamy, both of which will work with pure Java and doesn't require NodeJS.

-kevin

Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us.

On Mon, Nov 9, 2020, 13:30 Venky Soorisetty notifications@github.com wrote:

I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/38#issuecomment-724193823, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGZM6Y7IYNVYPRZDNRTSPAYLDANCNFSM4QNOVEZA .

jmanico commented 3 years ago

DOMPurify is client-side, primarily.

-- Jim Manico @Manicode

On Nov 9, 2020, at 8:30 AM, Venky Soorisetty notifications@github.com wrote:

I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

sgsvnk commented 3 years ago

Thanks for your support. I needed to do this server side, I ended up using owasp-html-sanitizer as suggested.