Thoughts on allowing colspan in CustomHtmlSanitizer?

[ssweber]

The current html sanitizer strips colspan.

This is because the underlying library, Java-html-sanitizer Table rules don’t include colspan, rowspan to their whitelist.

There is an open pull request to OWASP java-html-sanitizer to allow colspan, rowspan, to tables in the library, but it’s been open for more than a year.

What are the thoughts on modifying the CustomHtmlSanitizer to allow? colspan is a nice tool to use for inline headers in tables. But I don’t know what the security implications are.

[ssweber]

Here's what that would look like as a diff:
bcbb1cb

[ssweber]

@Frooodle would this be something you’d be open to behind custom-settings flag? Like ENABLE_PERMISSIVE_HTML_TABLE_SANITIZATION or something?

If so, I can see how you did that to disable sanitation entirely, and try to come up with a suitable pr.