From b73bd9db79ab58b20ed96ca8acf2776585dae0d1 Mon Sep 17 00:00:00 2001 From: Sven Strickroth Date: Sat, 27 Jan 2024 12:04:21 +0100 Subject: [PATCH 1/2] Don't allow duplicates in rel attribute for links Signed-off-by: Sven Strickroth --- .../org/owasp/html/HtmlPolicyBuilder.java | 9 +++---- .../org/owasp/html/HtmlPolicyBuilderTest.java | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java index bae6d13e..0055dc30 100644 --- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java +++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java @@ -1045,11 +1045,10 @@ public String apply(String elementName, List attrs) { for (int i = 0; i <= n; ++i) { if (i == n || Strings.isHtmlSpace(rels.charAt(i))) { if (left < i) { - if (skip.isEmpty() - || !skip.contains( - Strings.toLowerCase(rels.substring(left, i)))) { - String rel = rels.substring(left, i); - present.add(rel); + final String rel = rels.substring(left, i); + final String lowerCaseRel = Strings.toLowerCase(rel); + if ((skip.isEmpty() || !skip.contains(lowerCaseRel)) && !present.contains(lowerCaseRel)) { + present.add(lowerCaseRel); sb.append(rel).append(' '); } } diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java index 746a1017..978e3daf 100644 --- a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java +++ b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java @@ -874,6 +874,31 @@ public final void testRelLinksWhenRelIsPartOfData() { assertEquals(toSanitize, pf.sanitize(toSanitize)); } + @Test + public static final void testRelLinksWithDuplicateRels() { + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("a") + .allowAttributes("href").onElements("a") + .allowAttributes("rel").onElements("a") + .allowAttributes("target").onElements("a") + .allowStandardUrlProtocols() + .toFactory(); + assertEquals("test", pf.sanitize("test")); + } + + @Test + public static final void testRelLinksWithDuplicateRelsRequired() { + PolicyFactory pf = new HtmlPolicyBuilder() + .allowElements("a") + .allowAttributes("href").onElements("a") + .allowAttributes("rel").onElements("a") + .allowAttributes("target").onElements("a") + .allowStandardUrlProtocols() + .requireRelsOnLinks("noreferrer") + .toFactory(); + assertEquals("test", pf.sanitize("test")); + } + @Test public static final void testFailFastOnSpaceSeparatedStrings() { boolean failed; From a6dd52af8bf81ea8647e8c8d08a1c15804eb3d20 Mon Sep 17 00:00:00 2001 From: Mike Samuel Date: Fri, 2 Feb 2024 09:48:24 -0700 Subject: [PATCH 2/2] Use lower case link rel attribute words --- src/main/java/org/owasp/html/HtmlPolicyBuilder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java index 0055dc30..d98ffa98 100644 --- a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java +++ b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java @@ -1049,7 +1049,7 @@ public String apply(String elementName, List attrs) { final String lowerCaseRel = Strings.toLowerCase(rel); if ((skip.isEmpty() || !skip.contains(lowerCaseRel)) && !present.contains(lowerCaseRel)) { present.add(lowerCaseRel); - sb.append(rel).append(' '); + sb.append(lowerCaseRel).append(' '); } } left = i + 1;