Fix repeatedly adding rel values

csware · csware · commit 61279994daba · 2024-01-24T21:13:24.000+01:00
(fixes issue #306) Signed-off-by: Sven Strickroth <email@cs-ware.de>
diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -1038,6 +1038,7 @@ public String apply(String elementName, List<String> attrs) {
           if (relIndex < 0 && hasTarget && extra.isEmpty() && skip.isEmpty()) {
             relValue = DEFAULT_RELS_ON_TARGETTED_LINKS_STR;
           } else {
+            final Set<String> usedRels = new HashSet<>();
             StringBuilder sb = new StringBuilder();
             if (relIndex >= 0) {
               // Preserve values that are not explicitly skipped.
@@ -1046,21 +1047,23 @@ public String apply(String elementName, List<String> attrs) {
               for (int i = 0; i <= n; ++i) {
                 if (i == n || Strings.isHtmlSpace(rels.charAt(i))) {
                   if (left < i) {
-                    if (skip.isEmpty()
-                        || !skip.contains(
-                            Strings.toLowerCase(rels.substring(left, i)))) {
+                    final String rel = Strings.toLowerCase(rels.substring(left, i));
+                    if (skip.isEmpty() || !skip.contains(rel)) {
                       sb.append(rels, left, i).append(' ');
+                      usedRels.add(rel);
                     }
                   }
                   left = i + 1;
                 }
               }
             }
             for (String s : extra) {
+              if (usedRels.contains(s)) { continue; }
               sb.append(s).append(' ');
             }
             if (hasTarget) {
               for (String s : whenTargetPresent) {
+                if (usedRels.contains(s)) { continue; }
                 sb.append(s).append(' ');
               }
             }
diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -810,7 +810,7 @@ public static final void testRelLinksWhenRelisPartOfData() {
 		        .allowStandardUrlProtocols()
 		        .toFactory();
 	  String toSanitize = "<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://google.com\">test</a>";
-	  assertTrue("Failure in testRelLinksWhenRelisPartOfData", pf.sanitize(toSanitize).equals(toSanitize));
+	  assertEquals(toSanitize, pf.sanitize(toSanitize));
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -1038,6 +1038,7 @@ public String apply(String elementName, List<String> attrs) {`
`1038`	`1038`	`if (relIndex < 0 && hasTarget && extra.isEmpty() && skip.isEmpty()) {`
`1039`	`1039`	`relValue = DEFAULT_RELS_ON_TARGETTED_LINKS_STR;`
`1040`	`1040`	`} else {`
	`1041`	`+ final Set<String> usedRels = new HashSet<>();`
`1041`	`1042`	`StringBuilder sb = new StringBuilder();`
`1042`	`1043`	`if (relIndex >= 0) {`
`1043`	`1044`	`// Preserve values that are not explicitly skipped.`
`@@ -1046,21 +1047,23 @@ public String apply(String elementName, List<String> attrs) {`
`1046`	`1047`	`for (int i = 0; i <= n; ++i) {`
`1047`	`1048`	`if (i == n \|\| Strings.isHtmlSpace(rels.charAt(i))) {`
`1048`	`1049`	`if (left < i) {`
`1049`		`- if (skip.isEmpty()`
`1050`		`- \|\| !skip.contains(`
`1051`		`- Strings.toLowerCase(rels.substring(left, i)))) {`
	`1050`	`+ final String rel = Strings.toLowerCase(rels.substring(left, i));`
	`1051`	`+ if (skip.isEmpty() \|\| !skip.contains(rel)) {`
`1052`	`1052`	`sb.append(rels, left, i).append(' ');`
	`1053`	`+ usedRels.add(rel);`
`1053`	`1054`	`}`
`1054`	`1055`	`}`
`1055`	`1056`	`left = i + 1;`
`1056`	`1057`	`}`
`1057`	`1058`	`}`
`1058`	`1059`	`}`
`1059`	`1060`	`for (String s : extra) {`
	`1061`	`+ if (usedRels.contains(s)) { continue; }`
`1060`	`1062`	`sb.append(s).append(' ');`
`1061`	`1063`	`}`
`1062`	`1064`	`if (hasTarget) {`
`1063`	`1065`	`for (String s : whenTargetPresent) {`
	`1066`	`+ if (usedRels.contains(s)) { continue; }`
`1064`	`1067`	`sb.append(s).append(' ');`
`1065`	`1068`	`}`
`1066`	`1069`	`}`
Original file line number	Diff line number	Diff line change
`@@ -810,7 +810,7 @@ public static final void testRelLinksWhenRelisPartOfData() {`
`810`	`810`	`.allowStandardUrlProtocols()`
`811`	`811`	`.toFactory();`
`812`	`812`	`String toSanitize = "<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://google.com\">test</a>";`
`813`		`- assertTrue("Failure in testRelLinksWhenRelisPartOfData", pf.sanitize(toSanitize).equals(toSanitize));`
	`813`	`+ assertEquals(toSanitize, pf.sanitize(toSanitize));`
`814`	`814`	`}`
`815`	`815`
`816`	`816`	`@Test`