diff --git a/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
index d5a5df05..1e3f65e6 100644
--- a/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
+++ b/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -874,10 +874,21 @@ private HtmlTagSkipType getHtmlTagSkipType(String elementName) {
public final class AttributeBuilder {
private final List attributeNames;
private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
+ private boolean shouldSanitizeGlobalStyles = false;
AttributeBuilder(List attributeNames) {
this.attributeNames = j8().listCopyOf(attributeNames);
}
+
+ /**
+ * Determines whether allowAttributes("style").globally() should imply allowStyling()
+ * which sanitizes style attribute values
+ */
+ public AttributeBuilder sanitizeGlobalStyles() {
+ this.shouldSanitizeGlobalStyles = true;
+ return this;
+ }
+
/**
* Filters and/or transforms the attribute values
@@ -967,7 +978,7 @@ public AttributeBuilder matching(
*/
@SuppressWarnings("synthetic-access")
public HtmlPolicyBuilder globally() {
- if (attributeNames.contains("style")) {
+ if (attributeNames.contains("style") && shouldSanitizeGlobalStyles) {
allowStyling();
}
return HtmlPolicyBuilder.this.allowAttributesGlobally(
diff --git a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java
index e3b8e2f9..3c6aa9af 100644
--- a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java
+++ b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java
@@ -97,4 +97,20 @@ public static final void testCustom() {
assertTrue("left in float", cssFloat.literals.contains("left"));
}
+ @Test
+ public static final void testStyleCasingWithoutAllowStyling() {
+ String input = "fourth line
";
+ PolicyFactory factory = new HtmlPolicyBuilder().allowElements("p","span").allowAttributes("test","style").globally().toFactory();
+ assertEquals(input, factory.sanitize(input));
+ }
+
+ @Test
+ public static final void testStyleCasingWithAllowStyling() {
+ String input = "fourth line
";
+ PolicyFactory factory = new HtmlPolicyBuilder().allowElements("p","span").allowAttributes("test","style").sanitizeGlobalStyles().globally().toFactory();
+ assertEquals("fourth line
"
+ , factory.sanitize(input));
+ }
+
+
}
diff --git a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
index 3ac35180..5ad8faa3 100644
--- a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
+++ b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -663,6 +663,19 @@ public String toString() {
input));
}
+ @Test
+ public static final void testGlobalStyleWithoutSanitization() {
+ PolicyFactory factory = new HtmlPolicyBuilder().allowElements("span").allowAttributes("test","style").globally().toFactory();
+ String input = "Strikethrough";
+ assertEquals(factory.sanitize(input), input);
+ }
+
+ @Test
+ public static final void testGlobalStyleWithSanitization() {
+ PolicyFactory factory = new HtmlPolicyBuilder().allowElements("span").allowAttributes("test","style").sanitizeGlobalStyles().globally().toFactory();
+ String input = "Strikethrough";
+ assertEquals("Strikethrough", factory.sanitize(input));
+ }
@Test
public final void testPostprocessors() {