Commit 2372314f authored by Matija Obreza's avatar Matija Obreza

Allow images in HTML content

parent 68e3da10
/**
* Copyright 2014 Global Crop Diversity Trust
/*
* Copyright 2019 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
*/
package org.genesys2.server.service.impl;
......@@ -24,10 +24,9 @@ import org.owasp.html.PolicyFactory;
import org.springframework.stereotype.Service;
/**
* HTML sanitizer using owasp-java-html-sanitizer
* HTML sanitizer using owasp-java-html-sanitizer.
*
* @author mobreza
*
*/
@Service
public class OWASPSanitizer implements HtmlSanitizer {
......@@ -61,10 +60,13 @@ public class OWASPSanitizer implements HtmlSanitizer {
.allowAttributes("src")
.matching(Pattern.compile("^((https:)?//player\\.vimeo\\.com/|(https:)?//www\\.youtube\\.com/).+"))
.onElements("iframe")
// Images
.allowAttributes("src", "alt", "style", "width", "height", "srcset", "sizes")
.onElements("img")
// Elements
.allowElements("table", "thead", "tbody", "tr", "td", "th", "tfoot", "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul",
"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code", "iframe")
"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code", "iframe", "img")
// Get factory
.toFactory();
......
......@@ -33,4 +33,15 @@ public class OWASPSanitizerTest extends AbstractServicesTest {
assertThat("HTML not sanitized", htmlSanitizer.sanitize(inputHtml).trim(), equalTo(expectedHtml));
}
@Test
public void testImage() {
String inputHtml = "<img src='hello' alt='haha' title='hoho' foobar='test' />";
String expectedHtml = "<img src=\"hello\" alt=\"haha\" title=\"hoho\" />";
assertThat("HTML not sanitized", htmlSanitizer.sanitize(inputHtml).trim(), equalTo(expectedHtml));
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment