Don't allow duplicates in rel attribute for links

csware · csware · commit 799851e2d8b7 · 2024-01-27T12:06:37.000+01:00
Signed-off-by: Sven Strickroth &lt;email@cs-ware.de&gt;
diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -1048,7 +1048,7 @@ public String apply(String elementName, List<String> attrs) {
                 if (i == n || Strings.isHtmlSpace(rels.charAt(i))) {
                   if (left < i) {
                     final String rel = Strings.toLowerCase(rels.substring(left, i));
-                    if (skip.isEmpty() || !skip.contains(rel)) {
+                    if ((skip.isEmpty() || !skip.contains(rel)) && !usedRels.contains(rel)) {
                       sb.append(rels, left, i).append(' ');
                       usedRels.add(rel);
                     }
diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -813,6 +813,31 @@ public static final void testRelLinksWhenRelisPartOfData() {
 	  assertEquals(toSanitize, pf.sanitize(toSanitize));
   }
 
+  @Test
+  public static final void testRelLinksWithDuplicateRels() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href").onElements("a")
+        .allowAttributes("rel").onElements("a")
+        .allowAttributes("target").onElements("a")
+        .allowStandardUrlProtocols()
+        .toFactory();
+    assertEquals("<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://google.com\">test</a>", pf.sanitize("<a target=\"_blank\" rel=\"noopener noreferrer noreferrer\" href=\"https://google.com\">test</a>"));
+  }
+
+  @Test
+  public static final void testRelLinksWithDuplicateRelsRequired() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href").onElements("a")
+        .allowAttributes("rel").onElements("a")
+        .allowAttributes("target").onElements("a")
+        .allowStandardUrlProtocols()
+        .requireRelsOnLinks("noreferrer")
+        .toFactory();
+    assertEquals("<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://google.com\">test</a>", pf.sanitize("<a target=\"_blank\" rel=\"noopener noreferrer noreferrer\" href=\"https://google.com\">test</a>"));
+  }
+
   @Test
   public static final void testFailFastOnSpaceSeparatedStrings() {
     boolean failed;

Original file line number	Diff line number	Diff line change
`@@ -1048,7 +1048,7 @@ public String apply(String elementName, List<String> attrs) {`
`1048`	`1048`	`if (i == n \|\| Strings.isHtmlSpace(rels.charAt(i))) {`
`1049`	`1049`	`if (left < i) {`
`1050`	`1050`	`final String rel = Strings.toLowerCase(rels.substring(left, i));`
`1051`		`- if (skip.isEmpty() \|\| !skip.contains(rel)) {`
	`1051`	`+ if ((skip.isEmpty() \|\| !skip.contains(rel)) && !usedRels.contains(rel)) {`
`1052`	`1052`	`sb.append(rels, left, i).append(' ');`
`1053`	`1053`	`usedRels.add(rel);`
`1054`	`1054`	`}`