#3081: Update HtmlPolicyBuilder, allow class for h1 and p

In order to be able to save richText content containing also a class, we need to allow this in the HtmlPolicyBuilder, which is being used to sanitize the HTML before saving. We updated this one to allow the class attribute for h1 and p elements.
NCI-Agency · Jun 25, 2020 · c167807 · c167807
1 parent b036bb8
commit c167807
Showing 1 changed file with 24 additions and 23 deletions.
diff --git a/src/main/java/mil/dds/anet/utils/Utils.java b/src/main/java/mil/dds/anet/utils/Utils.java
@@ -180,29 +180,30 @@ public static Map<String, Task> buildParentTaskMapping(List<Task> tasks,
     return result;
   }
 
-  public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
-      .allowStandardUrlProtocols()
-      // Allow in-line image data
-      .allowUrlProtocols("data").allowAttributes("src").matching(Pattern.compile("^data:image/.*$"))
-      .onElements("img")
-      // Allow some image attributes
-      .allowAttributes("align", "alt", "border", "name", "height", "width", "hspace", "vspace")
-      .onElements("img")
-      // Allow title="..." on any element.
-      .allowAttributes("title").globally()
-      // Allow href="..." on <a> elements (but not the 'data:' protocol!).
-      .allowAttributes("href").matching(Pattern.compile("^(?!data:).*$")).onElements("a")
-      // Defeat link spammers.
-      .requireRelNofollowOnLinks()
-      // The align attribute on <p> elements can have any value below.
-      .allowAttributes("align").matching(true, "center", "left", "right", "justify", "char")
-      .onElements("p").allowAttributes("border", "cellpadding", "cellspacing").onElements("table")
-      .allowAttributes("colspan", "rowspan").onElements("td", "th").allowStyling()
-      // These elements are allowed.
-      .allowElements("a", "p", "div", "i", "b", "u", "em", "blockquote", "tt", "strong", "br", "ul",
-          "ol", "li", "table", "tr", "td", "thead", "tbody", "th", "span", "h1", "h2", "h3", "h4",
-          "h5", "h6", "hr", "img", "strike", "mark")
-      .toFactory();
+  public static final PolicyFactory POLICY_DEFINITION =
+      new HtmlPolicyBuilder().allowStandardUrlProtocols()
+          // Allow in-line image data
+          .allowUrlProtocols("data").allowAttributes("src")
+          .matching(Pattern.compile("^data:image/.*$")).onElements("img")
+          // Allow some image attributes
+          .allowAttributes("align", "alt", "border", "name", "height", "width", "hspace", "vspace")
+          .onElements("img")
+          // Allow title="..." on any element.
+          .allowAttributes("title").globally()
+          // Allow href="..." on <a> elements (but not the 'data:' protocol!).
+          .allowAttributes("href").matching(Pattern.compile("^(?!data:).*$")).onElements("a")
+          // Defeat link spammers.
+          .requireRelNofollowOnLinks()
+          // The align attribute on <p> elements can have any value below.
+          .allowAttributes("align").matching(true, "center", "left", "right", "justify", "char").onElements("p")
+          .allowAttributes("class").onElements("h1", "p")
+          .allowAttributes("border", "cellpadding", "cellspacing").onElements("table")
+          .allowAttributes("colspan", "rowspan").onElements("td", "th").allowStyling()
+          // These elements are allowed.
+          .allowElements("a", "p", "div", "i", "b", "u", "em", "blockquote", "tt", "strong", "br",
+              "ul", "ol", "li", "table", "tr", "td", "thead", "tbody", "th", "span", "h1", "h2",
+              "h3", "h4", "h5", "h6", "hr", "img", "strike", "mark")
+          .toFactory();
 
   public static String sanitizeHtml(String input) {
     if (input == null) {