HtmlPolicyBuilder href is not coming in <u >tag after using PolicyFactory.sanitize in java code

Question

<u href="javascript:toggleTable('*****')" onMouseOver="this.style.color='red'" onMouseOut="this.style.color='#000000'">*****</u>

Above element under th tag after sanitising href attribute is not coming as shown below :

<u onmouseover="this.style.color='red'" onmouseout="this.style.color='#000000'">*****</u>

Below is the code snippet which I'm trying to allow href attribute under u element :

PolicyFactory html = new HtmlPolicyBuilder()
.allowElements("u")
.allowAttributes("href", "onMouseOver", "onMouseOut").onElements("u")
.allowTextIn("u")
.allowCommonBlockElements()
.allowCommonInlineFormattingElements()
.allowStandardUrlProtocols()
.allowUrlProtocols("href")
.allowStyling()
.requireRelNofollowOnLinks()
.allowAttributes("href").globally()
.toFactory();  

same issue I'm facing with table and tr element as well. Style attribute is not coming under table and tr element also.

Any suggestion/help is appreciated. Thanks in advance.

Answer 1

The href attribute is being removed because it doesn't have an allowed protocol. If .allowUrlProtocols("href") is changed to .allowUrlProtocols("javascript") then it would be allowed.

Allowing javascript URLs, or onMouseOver and onMouseOut attributes will allow scripts to be executed though and be vulnerable to XSS attacks.

Instead, you can change the design. Mouse-over styling doesn't need JavaScript. It can be done the CSS :hover selectors.

Answer 2

As answer above adding javascript in .allowUrlProtocols("javascript") will allow to pass, but where as you will still get UTF encoded "(" & ")" in javascript:toggleTable('*****') as "(" & ")" comes into special character.

your output will look like javascript:toggleTable0028'*****'0029

To make it work you will have to replace it with string function replace.

sanitizer.sanitize(HTML).replace("0028", "(").replace("0029",")");