Allow custom policies for 'style' attribute

Gabor Garancsi · Gabor Garancsi · commit f1541bf3e12f · 2021-10-29T09:45:45.000+02:00
diff --git a/src/main/java/org/owasp/html/HtmlPolicyBuilder.java b/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
@@ -874,7 +874,7 @@ private HtmlTagSkipType getHtmlTagSkipType(String elementName) {
    */
   public final class AttributeBuilder {
     private final List<String> attributeNames;
-    private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
+    private AttributePolicy policy;
 
     AttributeBuilder(List<? extends String> attributeNames) {
       this.attributeNames = ImmutableList.copyOf(attributeNames);
@@ -888,7 +888,11 @@ public final class AttributeBuilder {
      * transformation by a previous policy.
      */
     public AttributeBuilder matching(AttributePolicy attrPolicy) {
-      this.policy = AttributePolicy.Util.join(this.policy, attrPolicy);
+      if (this.policy == null) {
+        this.policy = attrPolicy;
+      } else {
+        this.policy = AttributePolicy.Util.join(this.policy, attrPolicy);
+      }
       return this;
     }
 
@@ -968,8 +972,11 @@ public AttributeBuilder matching(
      */
     @SuppressWarnings("synthetic-access")
     public HtmlPolicyBuilder globally() {
-      if (attributeNames.contains("style")) {
-          allowStyling();
+      if (attributeNames.contains("style") && policy == null) {
+        allowStyling();
+      }
+      if (this.policy == null) {
+        this.policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;
       }
       return HtmlPolicyBuilder.this.allowAttributesGlobally(policy,
               attributeNames);
diff --git a/src/test/java/org/owasp/html/SanitizersTest.java b/src/test/java/org/owasp/html/SanitizersTest.java
@@ -511,6 +511,18 @@ public static final void testStyleWithOtherAttributesGlobally() {
     String want = "<h1 style=\"color:green\" align=\"center\">This is some green centered text</h1>";
     assertEquals(want, policyBuilder.sanitize(input));
   }
+
+  @Test
+  public static final void testStyleGloballyWithCustomPolicy() {
+    PolicyFactory policyBuilder = new HtmlPolicyBuilder()
+            .allowAttributes("style")
+            .matching(AttributePolicy.IDENTITY_ATTRIBUTE_POLICY).globally()
+            .allowElements("a", "label", "h1", "h2", "h3", "h4", "h5", "h6")
+            .toFactory();
+    String input = "<h1 style=\"color:green; display: grid;\">This is some green centered text</h1>";
+    String want = "<h1 style=\"color:green; display: grid;\">This is some green centered text</h1>";
+    assertEquals(want, policyBuilder.sanitize(input));
+  }
   
   static int fac(int n) {
     int ifac = 1;
