windbreakerdoss / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

PolicyFactory Sanitize method weird output #318

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Create PolicyFactory with all added sanitizers 
(Formatting/Images/Links/Styles/Blocks)
2. Pass "<b><h1>text</h1></b>" to the PolicyFactory.sanitize(String html)
3. Result returned is "<b></b><b><h1>text</h1></b>"

What is the expected output? What do you see instead?

-Expected "<b><h1>text</h1></b>" 
-Received "<b></b><b><h1>text</h1></b>"

What version of the product are you using? On what operating system?

-Windows 7 64-bit
-Maven dependency:
 <dependency>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>owasp-java-html-sanitizer</artifactId>
     <version>r209</version>
 </dependency>

Does this issue affect only a specified browser or set of browsers?

-This is browser unrelated, testing simply through JUnit tests

Please provide any additional information below.

I am currently using this method in a loop and exiting the loop when the string 
has been fully sanitized based on the idea that it will be sanitized when the 
previous sanitization result will equal the current sanitization result. 
Unfortunately, with this issue, on some inputs the sanitize method does not 
stop adding tags resulting in an infinite loop because the previous 
sanitization of the string will never equal the current sanitization of the 
string.

Original issue reported on code.google.com by Toombs....@gmail.com on 7 Feb 2014 at 7:39

GoogleCodeExporter commented 9 years ago
Even i am facing this issue , only happens when we sanitize the HTML .
I digged further and figured out that  when used with other tags , its when the 
problem of extra   is seen .
But if i use  alone in my html code ...it does not append 

Let me know if you have a solution to this...

Original comment by u.nilesh...@gmail.com on 20 Nov 2014 at 7:05