org.owasp.html.HtmlPolicyBuilder Maven / Gradle / Ivy
// Copyright (c) 2011, Mike Samuel
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
//
// Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
// Neither the name of the OWASP nor the names of its contributors may
// be used to endorse or promote products derived from this software
// without specific prior written permission.
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
package org.owasp.html;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import org.owasp.html.ElementPolicy.JoinableElementPolicy;
import com.google.common.base.Function;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
/**
* Conveniences for configuring policies for the {@link HtmlSanitizer}.
*
* Usage
*
* To create a policy, first construct an instance of this class; then call
* allow…
methods to turn on tags, attributes, and other
* processing modes; and finally call build(renderer)
or
* toFactory()
.
*
*
* // Define the policy.
* Function<HtmlStreamEventReceiver, HtmlSanitizer.Policy> policy
* = new HtmlPolicyBuilder()
* .allowElements("a", "p")
* .allowAttributes("href").onElements("a")
* .toFactory();
*
* // Sanitize your output.
* HtmlSanitizer.sanitize(myHtml, policy.apply(myHtmlStreamRenderer));
*
*
* Embedded Content
*
* Embedded URLs are filtered by
* {@link HtmlPolicyBuilder#allowUrlProtocols protocol}.
* There is a {@link HtmlPolicyBuilder#allowStandardUrlProtocols canned policy}
* so you can easily white-list widely used policies that don't violate the
* current pages origin. See "Customization" below for ways to do further
* filtering. If you allow links it might be worthwhile to
* {@link HtmlPolicyBuilder#requireRelNofollowOnLinks() require}
* {@code rel=nofollow}.
*
*
* This class simply throws out all embedded JS.
* Use a custom element or attribute policy to allow through
* signed or otherwise known-safe code.
* Check out the Caja project if you need a way to contain third-party JS.
*
*
* This class does not attempt to faithfully parse and sanitize CSS.
* It does provide {@link HtmlPolicyBuilder#allowStyling() one} styling option
* that allows through a few CSS properties that allow textual styling, but that
* disallow image loading, history stealing, layout breaking, code execution,
* etc.
*
*
* Customization
*
* You can easily do custom processing on tags and attributes by supplying your
* own {@link ElementPolicy element policy} or
* {@link AttributePolicy attribute policy} when calling
* allow…
.
* E.g. to convert headers into {@code
}s, you could use an element policy
*
*
* new HtmlPolicyBuilder()
* .allowElement(
* new ElementPolicy() {
* public String apply(String elementName, List<String> attributes){
* attributes.add("class");
* attributes.add("header-" + elementName);
* return "div";
* }
* },
* "h1", "h2", "h3", "h4", "h5", "h6")
* .build(outputChannel)
*
*
* Rules of Thumb
*
* Throughout this class, several rules hold:
*
* - Everything is denied by default. There are
*
disallow…
methods, but those reverse
* allows instead of rolling back overly permissive defaults.
* - The order of allows and disallows does not matter.
* Disallows trump allows whether they occur before or after them.
* The only method that needs to be called in a particular place is
* {@link HtmlPolicyBuilder#build}.
* Allows or disallows after {@code build} is called have no
* effect on the already built policy.
*
- Element and attribute policies are applied in the following order:
* element specific attribute policy, global attribute policy, element
* policy.
* Element policies come last so they can observe all the post-processed
* attributes, and so they can add attributes that are exempt from
* attribute policies.
* Element specific policies go first, so they can normalize content to
* a form that might be acceptable to a more simplistic global policy.
*
*
* Thread safety and efficiency
*
* This class is not thread-safe. The resulting policy will not violate its
* security guarantees as a result of race conditions, but is not thread safe
* because it maintains state to track whether text inside disallowed elements
* should be suppressed.
*
* The resulting policy can be reused, but if you use the
* {@link HtmlPolicyBuilder#toFactory()} method instead of {@link #build}, then
* binding policies to output channels is cheap so there's no need.
*
*
* @author Mike Samuel ([email protected])
*/
@TCB
@NotThreadSafe
public class HtmlPolicyBuilder {
/**
* The default set of elements that are removed if they have no attributes.
* Since {@code } is in this set, by default, a policy will remove
* {@code } because its URL is not allowed
* and it has no other attributes that would warrant it appearing in the
* output.
*/
public static final ImmutableSet DEFAULT_SKIP_IF_EMPTY
= ImmutableSet.of("a", "font", "img", "input", "span");
static final ImmutableMap DEFAULT_SKIP_TAG_MAP_IF_EMPTY_ATTR;
static {
ImmutableMap.Builder b = ImmutableMap.builder();
for (String elementName : DEFAULT_SKIP_IF_EMPTY) {
b.put(elementName, HtmlTagSkipType.SKIP_BY_DEFAULT);
}
DEFAULT_SKIP_TAG_MAP_IF_EMPTY_ATTR = b.build();
}
/**
* These
* {@code rel} attribute values leaking information to the linked site,
* and prevents the linked page from redirecting your page to a phishing site
* when opened from a third-party link from your site.
*
* @see About rel=noopener
*/
public static final ImmutableSet DEFAULT_RELS_ON_TARGETTED_LINKS
= ImmutableSet.of("noopener", "noreferrer");
static final String DEFAULT_RELS_ON_TARGETTED_LINKS_STR
= Joiner.on(' ').join(DEFAULT_RELS_ON_TARGETTED_LINKS);
private final Map elPolicies = Maps.newLinkedHashMap();
private final Map> attrPolicies
= Maps.newLinkedHashMap();
private final Map globalAttrPolicies
= Maps.newLinkedHashMap();
private final Set allowedProtocols = Sets.newLinkedHashSet();
private final Map skipIssueTagMap = Maps.newLinkedHashMap(DEFAULT_SKIP_TAG_MAP_IF_EMPTY_ATTR);
private final Map textContainers = Maps.newLinkedHashMap();
private HtmlStreamEventProcessor postprocessor =
HtmlStreamEventProcessor.Processors.IDENTITY;
private HtmlStreamEventProcessor preprocessor =
HtmlStreamEventProcessor.Processors.IDENTITY;
private CssSchema stylingPolicySchema = null;
private AttributePolicy styleUrlPolicy =
AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY;
private Set extraRelsForLinks;
private Set skipRelsForLinks;
/**
* Allows the named elements.
*/
public HtmlPolicyBuilder allowElements(String... elementNames) {
return allowElements(ElementPolicy.IDENTITY_ELEMENT_POLICY, elementNames);
}
/**
* Disallows the named elements. Elements are disallowed by default, so
* there is no need to disallow elements, unless you are making an exception
* based on an earlier allow.
*/
public HtmlPolicyBuilder disallowElements(String... elementNames) {
return allowElements(ElementPolicy.REJECT_ALL_ELEMENT_POLICY, elementNames);
}
private static HtmlElementTables METADATA = HtmlElementTables.get();
/**
* Allow the given elements with the given policy.
*
* @param policy May remove or add attributes, change the element name, or
* deny the element.
*/
public HtmlPolicyBuilder allowElements(
ElementPolicy policy, String... elementNames) {
invalidateCompiledState();
for (String elementName : elementNames) {
elementName = HtmlLexer.canonicalElementName(elementName);
ElementPolicy newPolicy = ElementPolicy.Util.join(
elPolicies.get(elementName), policy);
// Don't remove if newPolicy is the always reject policy since we want
// that to infect later allowElement calls for this particular element
// name. rejects should have higher priority than allows.
elPolicies.put(elementName, newPolicy);
if (!textContainers.containsKey(elementName)) {
if (METADATA.canContainPlainText(METADATA.indexForName(elementName))) {
textContainers.put(elementName, true);
}
}
}
return this;
}
/**
* A canned policy that allows a number of common formatting elements.
*/
public HtmlPolicyBuilder allowCommonInlineFormattingElements() {
return allowElements(
"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong",
"strike", "tt", "code", "big", "small", "br", "span", "em");
}
/**
* A canned policy that allows a number of common block elements.
*/
public HtmlPolicyBuilder allowCommonBlockElements() {
return allowElements(
"p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li",
"blockquote");
}
/**
* Allows text content in the named elements.
* By default, text content is allowed in any
* {@link #allowElements allowed elements} that can contain character data per
* the HTML5 spec, but text content is not allowed by default in elements that
* contain content of other kinds (like JavaScript in {@code