bug with :all pseudo tag in WhiteList.isSafeAttribute #156

Closed
tonig opened this Issue Dec 12, 2011 · 1 comment

Projects

None yet

3 participants

@tonig
tonig commented Dec 12, 2011

At line 297:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    } else { // no attributes defined for tag, try :all tag
        return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
    }
    return false;
}

must be:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    }
    return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
}

Otherwise, only tags with no attributes defined have default :all attributes applied.
U can use this code for testing, where "class" is preserved in div, but not in table.
String unsafe =
"

Link

" +
"<div class="test" style="background:red">oleadmin" +
"<table class="tipusTaula1">hell world";
Whitelist whitelist = Whitelist.basic();
whitelist.addTags("div","table","tr","td");
whitelist.addAttributes("table", "border");
whitelist.addAttributes(":all", "class", "style");

    String safe = Jsoup.clean(unsafe, whitelist);
    System.out.println(safe);
@RobertFischer

Thanks for opening this bug report: just encountered it in my own code.

@jhy jhy closed this in a97385e May 6, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment