Watcher: Allow more tags for HTML sanitizer in tables (elastic/elasticsearch#2350)

This allows the colspan/rowspan attr on td/tr as well as border/cellpadding attrs on table elements. Original commit: elastic/x-pack-elasticsearch@e0b989f0ac
2016-05-26 11:10:31 +02:00 · 2016-05-26 11:10:31 +02:00 · 72c3dbd3bc
parent a056aacca1
commit 72c3dbd3bc
2 changed files with 12 additions and 2 deletions
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/HtmlSanitizer.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/HtmlSanitizer.java
@ -86,6 +86,8 @@ public class HtmlSanitizer {
                case "_tables":
                    policyBuilder.allowElements(TABLE_TAGS);
                    policyBuilder.allowAttributes("span").onElements("col");
+                    policyBuilder.allowAttributes("border", "cellpadding").onElements("table");
+                    policyBuilder.allowAttributes("colspan", "rowspan").onElements("th", "td");
                    break;
                case "_links":
                    policyBuilder.allowElements("a")
--- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/notification/email/HtmlSanitizerTests.java
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/notification/email/HtmlSanitizerTests.java
@ -75,7 +75,7 @@ public class HtmlSanitizerTests extends ESTestCase {
    }

    public void testDefaultTablesAllowed() {
-        String html = "<table>" +
+        String html = "<table border=\"1\" cellpadding=\"6\">" +
                "<caption>caption</caption>" +
                "<colgroup>" +
                "<col span=\"2\" />" +
@ -83,7 +83,7 @@ public class HtmlSanitizerTests extends ESTestCase {
                "</colgroup>" +
                "<thead>" +
                "<tr>" +
-                "<th>header1</th>" +
+                "<th colspan=\"2\">header1</th>" +
                "<th>header2</th>" +
                "</tr>" +
                "</thead>" +
@ -105,6 +105,14 @@ public class HtmlSanitizerTests extends ESTestCase {
        assertThat(sanitizedHtml, equalTo(html));
    }

+    public void testAllowStyles() {
+        String html = "<table border=\"1\" cellpadding=\"6\" style=\"color:red\"></table>";
+        Settings settings = Settings.builder().putArray("xpack.notification.email.html.sanitization.allow", "_tables", "_styles").build();
+        HtmlSanitizer sanitizer = new HtmlSanitizer(settings);
+        String sanitizedHtml = sanitizer.sanitize(html);
+        assertThat(sanitizedHtml, equalTo(html));
+    }
+
    public void testDefaultFormattingAllowed() {
        String html =  "<b></b><i></i><s></s><u></u><o></o><sup></sup><sub></sub><ins></ins><del></del><strong></strong>" +
                "<strike></strike><tt></tt><code></code><big></big><small></small><span></span><br /><em></em><hr />";