Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug with :all pseudo tag in WhiteList.isSafeAttribute #156

Closed
tonig opened this issue Dec 12, 2011 · 1 comment
Closed

bug with :all pseudo tag in WhiteList.isSafeAttribute #156

tonig opened this issue Dec 12, 2011 · 1 comment

Comments

@tonig
Copy link

tonig commented Dec 12, 2011

At line 297:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    } else { // no attributes defined for tag, try :all tag
        return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
    }
    return false;
}

must be:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    }
    return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
}

Otherwise, only tags with no attributes defined have default :all attributes applied.
U can use this code for testing, where "class" is preserved in div, but not in table.
String unsafe =
"

Link

" +
"<div class="test" style="background:red">oleadmin" +
"<table class="tipusTaula1">hell world";
Whitelist whitelist = Whitelist.basic();
whitelist.addTags("div","table","tr","td");
whitelist.addAttributes("table", "border");
whitelist.addAttributes(":all", "class", "style");

    String safe = Jsoup.clean(unsafe, whitelist);
    System.out.println(safe);
@RobertFischer
Copy link

Thanks for opening this bug report: just encountered it in my own code.

@jhy jhy closed this as completed in a97385e May 6, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RobertFischer @jhy @tonig