From b4936179bd5e277e291387d2cdc0b1df0001155c Mon Sep 17 00:00:00 2001
From: Gabor Garancsi <gabor.garancsi@casrd.net>
Date: Wed, 27 Oct 2021 18:09:17 +0200
Subject: [PATCH 1/2] Do not ignore attributes allowed globally together with
 'style' (#237)

Also, allowStyling() internally allows the 'style' attribute, so it is not
necessary to ignore it.
---
 src/main/java/org/owasp/html/HtmlPolicyBuilder.java |  9 ++++-----
 src/test/java/org/owasp/html/SanitizersTest.java    | 11 +++++++++++
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
index c43bfb86..764d5ee4 100644
--- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
+++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -968,12 +968,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if(attributeNames.get(0).equals("style")) {
-        return allowStyling();
-      } else {
-        return HtmlPolicyBuilder.this.allowAttributesGlobally(
-            policy, attributeNames);
+      if (attributeNames.contains("style")) {
+          allowStyling();
       }
+      return HtmlPolicyBuilder.this.allowAttributesGlobally(policy,
+              attributeNames);
     }
 
     /**
diff --git a/src/test/java/org/owasp/html/SanitizersTest.java b/src/test/java/org/owasp/html/SanitizersTest.java
index 4cb7bbca..0fdd23cc 100644
--- a/src/test/java/org/owasp/html/SanitizersTest.java
+++ b/src/test/java/org/owasp/html/SanitizersTest.java
@@ -500,6 +500,17 @@ public static final void testStyleGlobally() {
     String want = "<h1 style=\"color:green\">This is some green text</h1>";
     assertEquals(want, policyBuilder.sanitize(input));
   }
+
+  @Test
+  public static final void testStyleWithOtherAttributesGlobally() {
+    PolicyFactory policyBuilder = new HtmlPolicyBuilder()
+            .allowAttributes("style", "align").globally()
+            .allowElements("a", "label", "h1", "h2", "h3", "h4", "h5", "h6")
+            .toFactory();
+    String input = "<h1 style=\"color:green ;name:user ;\" align=\"center\">This is some green centered text</h1>";
+    String want = "<h1 style=\"color:green\" align=\"center\">This is some green centered text</h1>";
+    assertEquals(want, policyBuilder.sanitize(input));
+  }
   
   static int fac(int n) {
     int ifac = 1;

From f1541bf3e12f6773f65f4472fdc003654743acd5 Mon Sep 17 00:00:00 2001
From: Gabor Garancsi <gabor.garancsi@casrd.net>
Date: Fri, 29 Oct 2021 09:43:51 +0200
Subject: [PATCH 2/2] Allow custom policies for 'style' attribute

---
 .../java/org/owasp/html/HtmlPolicyBuilder.java    | 15 +++++++++++----
 src/test/java/org/owasp/html/SanitizersTest.java  | 12 ++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
index 764d5ee4..f3ee18f6 100644
--- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
+++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -874,7 +874,7 @@ private HtmlTagSkipType getHtmlTagSkipType(String elementName) {
    */
   public final class AttributeBuilder {
     private final List<String> attributeNames;
-    private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
+    private AttributePolicy policy;
 
     AttributeBuilder(List<? extends String> attributeNames) {
       this.attributeNames = ImmutableList.copyOf(attributeNames);
@@ -888,7 +888,11 @@ public final class AttributeBuilder {
      * transformation by a previous policy.
      */
     public AttributeBuilder matching(AttributePolicy attrPolicy) {
-      this.policy = AttributePolicy.Util.join(this.policy, attrPolicy);
+      if (this.policy == null) {
+        this.policy = attrPolicy;
+      } else {
+        this.policy = AttributePolicy.Util.join(this.policy, attrPolicy);
+      }
       return this;
     }
 
@@ -968,8 +972,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if (attributeNames.contains("style")) {
-          allowStyling();
+      if (attributeNames.contains("style") && policy == null) {
+        allowStyling();
+      }
+      if (this.policy == null) {
+        this.policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
       }
       return HtmlPolicyBuilder.this.allowAttributesGlobally(policy,
               attributeNames);
diff --git a/src/test/java/org/owasp/html/SanitizersTest.java b/src/test/java/org/owasp/html/SanitizersTest.java
index 0fdd23cc..00b815fc 100644
--- a/src/test/java/org/owasp/html/SanitizersTest.java
+++ b/src/test/java/org/owasp/html/SanitizersTest.java
@@ -511,6 +511,18 @@ public static final void testStyleWithOtherAttributesGlobally() {
     String want = "<h1 style=\"color:green\" align=\"center\">This is some green centered text</h1>";
     assertEquals(want, policyBuilder.sanitize(input));
   }
+
+  @Test
+  public static final void testStyleGloballyWithCustomPolicy() {
+    PolicyFactory policyBuilder = new HtmlPolicyBuilder()
+            .allowAttributes("style")
+            .matching(AttributePolicy.IDENTITY_ATTRIBUTE_POLICY).globally()
+            .allowElements("a", "label", "h1", "h2", "h3", "h4", "h5", "h6")
+            .toFactory();
+    String input = "<h1 style=\"color:green; display: grid;\">This is some green centered text</h1>";
+    String want = "<h1 style=\"color:green; display: grid;\">This is some green centered text</h1>";
+    assertEquals(want, policyBuilder.sanitize(input));
+  }
   
   static int fac(int n) {
     int ifac = 1;