Fixed bad defaults for html sanitization

- Corrected the `_tables` element list. now it contains the following elements: `<table>`, `<th>`, `<tr>`, `<td>`, `<caption>`, `<col>`, `<colgroup>`, `<thead>`, `<tbody>`, `<tfoot>` - Added support for empty `<span>` elements Closes elastic/elasticsearch#660 Original commit: elastic/x-pack-elasticsearch@ce5e57c4aa
2025-03-09 14:34:43 +00:00 · 2015-09-17 11:44:37 +02:00 · 2015-09-17 11:44:37 +02:00 · 006364279e
commit 006364279e
parent 3ecc12963b
2 changed files with 42 additions and 6 deletions
--- a/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/HtmlSanitizer.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/HtmlSanitizer.java
@ -26,13 +26,13 @@ public class HtmlSanitizer {

    static final String[] FORMATTING_TAGS = new String[] {
            "b", "i", "s", "u", "o", "sup", "sub", "ins", "del", "strong",
-            "strike", "tt", "code", "big", "small", "br", "span", "em"
+            "strike", "tt", "code", "big", "small", "br", "span", "em", "hr"
    };
    static final String[] BLOCK_TAGS = new String[] {
            "p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "blockquote"
    };
    static final String[] TABLE_TAGS = new String[] {
-            "table", "hr", "tr", "td"
+            "table", "th", "tr", "td", "caption", "col", "colgroup", "thead", "tbody", "tfoot"
    };
    static final String[] DEFAULT_ALLOWED = new String[] {
            "body", "head", "_tables", "_links", "_blocks", "_formatting", "img:embedded"
@ -64,8 +64,10 @@ public class HtmlSanitizer {
        if (Arrays.binarySearch(allow, "_all") > -1) {
            return policyBuilder
                    .allowElements(TABLE_TAGS)
+                    .allowAttributes("span").onElements("col")
                    .allowElements(BLOCK_TAGS)
                    .allowElements(FORMATTING_TAGS)
+                    .allowWithoutAttributes("span")
                    .allowStyling(CssSchema.DEFAULT)
                    .allowStandardUrlProtocols().allowElements("a")
                    .allowAttributes("href").onElements("a").requireRelNofollowOnLinks()
@ -83,6 +85,7 @@ public class HtmlSanitizer {
            switch (tag) {
                case "_tables":
                    policyBuilder.allowElements(TABLE_TAGS);
+                    policyBuilder.allowAttributes("span").onElements("col");
                    break;
                case "_links":
                    policyBuilder.allowElements("a")
@ -94,7 +97,8 @@ public class HtmlSanitizer {
                    policyBuilder.allowElements(BLOCK_TAGS);
                    break;
                case "_formatting":
-                    policyBuilder.allowElements(FORMATTING_TAGS);
+                    policyBuilder.allowElements(FORMATTING_TAGS)
+                            .allowWithoutAttributes("span");
                    break;
                case "_styles":
                    policyBuilder.allowStyling(CssSchema.DEFAULT);
--- a/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/HtmlSanitizerTests.java
+++ b/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/HtmlSanitizerTests.java
@ -9,7 +9,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Test;

-import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.*;


 /**
@ -54,7 +54,6 @@ public class HtmlSanitizerTests extends ESTestCase {
        }
    }

-
    @Test
    public void testDefault_onclick_Disallowed() {
        String badHtml = "<button type=\"button\"" +
@ -83,7 +82,40 @@ public class HtmlSanitizerTests extends ESTestCase {

    @Test
    public void testDefault_Tables_Allowed() {
-        String html = "<table><tr><td>cell1</td><td>cell2</td></tr></table>";
+        String html = "<table>" +
+                "<caption>caption</caption>" +
+                "<colgroup>" +
+                "<col span=\"2\" />" +
+                "<col />" +
+                "</colgroup>" +
+                "<thead>" +
+                "<tr>" +
+                "<th>header1</th>" +
+                "<th>header2</th>" +
+                "</tr>" +
+                "</thead>" +
+                "<tfoot>" +
+                "<tr>" +
+                "<td>Sum</td>" +
+                "<td>$180</td>" +
+                "</tr>" +
+                "</tfoot>" +
+                "<tbody>" +
+                "<tr>" +
+                "<td>cost</td>" +
+                "<td>180</td>" +
+                "</tr>" +
+                "</tbody>" +
+                "</table>";
+        HtmlSanitizer sanitizer = new HtmlSanitizer(Settings.EMPTY);
+        String sanitizedHtml = sanitizer.sanitize(html);
+        assertThat(sanitizedHtml, equalTo(html));
+    }
+
+    @Test
+    public void testDefault_Formatting_Allowed() {
+        String html =  "<b></b><i></i><s></s><u></u><o></o><sup></sup><sub></sub><ins></ins><del></del><strong></strong>" +
+                "<strike></strike><tt></tt><code></code><big></big><small></small><span></span><br /><em></em><hr />";
        HtmlSanitizer sanitizer = new HtmlSanitizer(Settings.EMPTY);
        String sanitizedHtml = sanitizer.sanitize(html);
        assertThat(sanitizedHtml, equalTo(html));