Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

bug with :all pseudo tag in WhiteList.isSafeAttribute #156

Closed
tonig opened this Issue · 1 comment

3 participants

@tonig

At line 297:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    } else { // no attributes defined for tag, try :all tag
        return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
    }
    return false;
}

must be:

boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
    TagName tag = TagName.valueOf(tagName);
    AttributeKey key = AttributeKey.valueOf(attr.getKey());

    if (attributes.containsKey(tag)) {
        if (attributes.get(tag).contains(key)) {
            if (protocols.containsKey(tag)) {
                Map<AttributeKey, Set<Protocol>> attrProts = protocols.get(tag);
                // ok if not defined protocol; otherwise test
                return !attrProts.containsKey(key) || testValidProtocol(el, attr, attrProts.get(key));
            } else { // attribute found, no protocols defined, so OK
                return true;
            }
        }
    }
    return !tagName.equals(":all") && isSafeAttribute(":all", el, attr);
}

Otherwise, only tags with no attributes defined have default :all attributes applied.
U can use this code for testing, where "class" is preserved in div, but not in table.
String unsafe =
"

Link

" +
"
oleadmin
" +
"
hell world
";
Whitelist whitelist = Whitelist.basic();
whitelist.addTags("div","table","tr","td");
whitelist.addAttributes("table", "border");
whitelist.addAttributes(":all", "class", "style");

    String safe = Jsoup.clean(unsafe, whitelist);
    System.out.println(safe);
@RobertFischer

Thanks for opening this bug report: just encountered it in my own code.

@jhy jhy closed this in a97385e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.