subbudvk · subbudvk · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024
diff --git a/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -874,10 +874,21 @@ private HtmlTagSkipType getHtmlTagSkipType(String elementName) {
   public final class AttributeBuilder {
     private final List<String> attributeNames;
     private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
+    private boolean shouldSanitizeGlobalStyles = false;
 
     AttributeBuilder(List<? extends String> attributeNames) {
       this.attributeNames = j8().listCopyOf(attributeNames);
     }
+
+  /**
+    * Determines whether allowAttributes("style").globally() should imply allowStyling()
+    * which sanitizes style attribute values
+    */
+    public AttributeBuilder sanitizeGlobalStyles() {
+	  	this.shouldSanitizeGlobalStyles = true;
+	  	return this;
+	  }
+
 
     /**
      * Filters and/or transforms the attribute values
@@ -967,7 +978,7 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if (attributeNames.contains("style")) {
+      if (attributeNames.contains("style") && shouldSanitizeGlobalStyles) {
         allowStyling();
       }
       return HtmlPolicyBuilder.this.allowAttributesGlobally(

diff --git a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/CssSchemaTest.java
@@ -97,4 +97,20 @@ public static final void testCustom() {
     assertTrue("left in float", cssFloat.literals.contains("left"));
   }
 
+   @Test
+  public static final void testStyleCasingWithoutAllowStyling() {
+	  String input = "<p><span style=\"font-family:Times New Roman,Times,serif;\">fourth line</span></p>";
+	  PolicyFactory factory = new HtmlPolicyBuilder().allowElements("p","span").allowAttributes("test","style").globally().toFactory();
+	  assertEquals(input, factory.sanitize(input));
+  }
+
+  @Test
+  public static final void testStyleCasingWithAllowStyling() {
+	  String input = "<p><span style=\"font-family:Times New Roman,Times,serif;\">fourth line</span></p>";
+	  PolicyFactory factory = new HtmlPolicyBuilder().allowElements("p","span").allowAttributes("test","style").sanitizeGlobalStyles().globally().toFactory();
+	  assertEquals("<p><span style=\"font-family:&#39;times new roman&#39; , &#39;times&#39; , serif\">fourth line</span></p>"
+	  		, factory.sanitize(input));
+  }
+
+
 }
diff --git a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -663,6 +663,19 @@ public String toString() {
             input));
   }
 
+  @Test
+  public static final void testGlobalStyleWithoutSanitization() {
+	  PolicyFactory factory = new HtmlPolicyBuilder().allowElements("span").allowAttributes("test","style").globally().toFactory();
+  	  String input = "<span style=\"text-decoration-line: line-through;\">Strikethrough</span>";
+  	  assertEquals(factory.sanitize(input), input);
+  }
+
+  @Test
+  public static final void testGlobalStyleWithSanitization() {
+	  PolicyFactory factory = new HtmlPolicyBuilder().allowElements("span").allowAttributes("test","style").sanitizeGlobalStyles().globally().toFactory();
+  	  String input = "<span style=\"text-decoration-line: line-through;\">Strikethrough</span>";
+  	  assertEquals("Strikethrough", factory.sanitize(input));
+  }
 
   @Test
   public final void testPostprocessors() {