From 4b0afbcb7435e633da4a5b297d4e461fa6b1bcfb Mon Sep 17 00:00:00 2001
From: Josh England <josh.england@mymhealth.com>
Date: Mon, 24 Jan 2022 09:31:00 +0000
Subject: [PATCH 1/2] Fix allowAttributes().globally() (#247)

Add guard to .globally() method of HtmlPolicyBuilder to prevent
ArrayOutOfBoundsException when checking to see if the zeroth
element of the attributeNames list contains 'style'.

This restores behaviour present in version 202180219.1 which
allowed for an empty allowed attributes names list to be
specified globally through the builder.
---
 src/main/java/org/owasp/html/HtmlPolicyBuilder.java     | 2 +-
 src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
index c43bfb86..143f5ac5 100644
--- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
+++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -968,7 +968,7 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if(attributeNames.get(0).equals("style")) {
+      if(!attributeNames.isEmpty() && attributeNames.get(0).equals("style")) {
         return allowStyling();
       } else {
         return HtmlPolicyBuilder.this.allowAttributesGlobally(
diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
index db75e4c7..b9685541 100644
--- a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
+++ b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -994,6 +994,11 @@ public static final void testTextareaIsNotTextArea() {
     assertEquals("x<textArea>y</textArea>", textAreaPolicy.sanitize(input));
   }
 
+  @Test
+  public static final void testHtmlPolicyBuilderDefinitionWithNoAttributesDefinedGlobally() {
+    new HtmlPolicyBuilder().allowElements().allowAttributes().globally().toFactory();
+  }
+
   private static String apply(HtmlPolicyBuilder b) {
     return apply(b, EXAMPLE);
   }

From a69a02124b6a7515c241877ce206a3e9cca9aef5 Mon Sep 17 00:00:00 2001
From: Mike Samuel <mikesamuel@gmail.com>
Date: Thu, 27 Jan 2022 10:53:31 -0700
Subject: [PATCH 2/2] Allow styling when any attribute name matches "style"
 globally

---
 src/main/java/org/owasp/html/HtmlPolicyBuilder.java | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
index 143f5ac5..57dd99d0 100644
--- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
+++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -968,12 +968,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if(!attributeNames.isEmpty() && attributeNames.get(0).equals("style")) {
-        return allowStyling();
-      } else {
-        return HtmlPolicyBuilder.this.allowAttributesGlobally(
-            policy, attributeNames);
+      if (attributeNames.contains("style")) {
+        allowStyling();
       }
+      return HtmlPolicyBuilder.this.allowAttributesGlobally(
+          policy, attributeNames);
     }
 
     /**