allowed custom styles, added test with user input, updated html sanitizer version - fixes #30

bgalek · bgalek · commit ddeb6adc8297 · 2022-12-08T23:06:11.000+01:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -14,7 +14,7 @@ repositories {
 }
 
 dependencies {
-    implementation("com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20220608.1")
+    implementation("com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:1.1")
     testImplementation("org.junit.jupiter:junit-jupiter:5.9.1")
 }
 
diff --git a/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java b/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java
@@ -71,7 +71,6 @@ private Set<String> getOffendingElements(String xml) {
         if (JAVASCRIPT_PROTOCOL_IN_CSS_URL.matcher(xml).find()) return Collections.singleton("style");
         PolicyFactory policy = new HtmlPolicyBuilder()
                 .allowElements(this.svgElements)
-                .allowStyling(CssSchema.union(CssSchema.DEFAULT, CssSchema.withProperties(SVG_SPECIFIC_STYLES)))
                 .allowAttributes(this.svgAttributes).globally()
                 .allowUrlProtocols("https")
                 .toFactory();
@@ -80,10 +79,6 @@ private Set<String> getOffendingElements(String xml) {
         return violations;
     }
 
-    private static final ImmutableMap<String, CssSchema.Property> SVG_SPECIFIC_STYLES = ImmutableMap.of(
-            "enable-background", new CssSchema.Property(1, ImmutableSet.of(), ImmutableMap.of())
-    );
-
     private static HtmlChangeListener<Set<String>> violationsCollector() {
         return new ListHtmlChangeListener();
     }
diff --git a/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java b/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java
@@ -10,6 +10,8 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
@@ -67,6 +69,18 @@ void shouldNotFailWhenUserDefinedAttributesAreUsed() {
 
     @Test
     void shouldNotFailWhenUserDefinedElementsAreUsed() {
+        String testFile = loadFile("custom/custom3.svg");
+        ValidationResult detect = SvgSecurityValidator.builder()
+                .withAdditionalElements(Arrays.asList("horiz-adv-x", "missing-glyph", "font-face", "font"))
+                .withAdditionalAttributes(Arrays.asList("horiz-adv-x", "font", "units-per-em"))
+                .build()
+                .validate(testFile);
+        assertEquals(Collections.emptySet(), detect.getOffendingElements());
+        assertFalse(detect.hasViolations());
+    }
+
+    @Test
+    void shouldNotFailWhenCustomStylesAreUsed() {
         String testFile = loadFile("custom/custom2.svg");
         List<String> strings = Collections.singletonList("cursor");
         ValidationResult detect = SvgSecurityValidator.builder()
diff --git a/src/test/resources/custom/custom3.svg b/src/test/resources/custom/custom3.svg

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ repositories {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`dependencies {`
`17`		`- implementation("com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20220608.1")`
	`17`	`+ implementation("com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:1.1")`
`18`	`18`	`testImplementation("org.junit.jupiter:junit-jupiter:5.9.1")`
`19`	`19`	`}`
`20`	`20`