Fix allowAttributes().globally() (#247) (#248)

mymhealthltd-joshengland · mikesamuel · web-flow · commit 68662fcade34 · 2024-02-01T21:15:05.000-07:00
* Fix allowAttributes().globally() (#247) Add guard to .globally() method of HtmlPolicyBuilder to prevent ArrayOutOfBoundsException when checking to see if the zeroth element of the attributeNames list contains 'style'. This restores behaviour present in version 202180219.1 which allowed for an empty allowed attributes names list to be specified globally through the builder. * Allow styling when any attribute name matches "style" globally --------- Co-authored-by: Mike Samuel <mikesamuel@gmail.com>
diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -964,12 +964,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if(attributeNames.get(0).equals("style")) {
-        return allowStyling();
-      } else {
-        return HtmlPolicyBuilder.this.allowAttributesGlobally(
-            policy, attributeNames);
+      if (attributeNames.contains("style")) {
+        allowStyling();
       }
+      return HtmlPolicyBuilder.this.allowAttributesGlobally(
+          policy, attributeNames);
     }
 
     /**
diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -1007,6 +1007,12 @@ public static final void testTextareaIsNotTextArea() {
     assertEquals("x<textArea>y</textArea>", textAreaPolicy.sanitize(input));
   }
 
+  @Test
+  public static final void testHtmlPolicyBuilderDefinitionWithNoAttributesDefinedGlobally() {
+    // Does not crash with a runtime exception
+    new HtmlPolicyBuilder().allowElements().allowAttributes().globally().toFactory();
+  }
+
   @Test
   public static final void testCSSFontSize() {
 	 HtmlPolicyBuilder builder = new HtmlPolicyBuilder();
