html - Why is the "display" css property not in the default whitelist for the owasp java library? -
i using owasp java library on backend service in order sanitize html sent client. owasp java library has css whitelist of css rules allow inside of style tag inside of html elements. can find whitelist here.
one thing noticed whitelist display
property omitted. means if create html code following:
<div style="margin-left:0px;display:none;"></div>
then html sanitizer default styling whitelist strip out display rule , html saved on server be:
<div style="margin-left:0px;"></div>
why display
property not white-listed default?
because other white-listed styles wouldn't work due element not being displayed @
update
display
has lot of weird edge cases affect layout in weird ways.
inline
,block
, ,inline-block
safe in contexts.
fixed
safe in none.
table
, others dodgy since there may ways break visual containment.even
block
,inline block
can break visual containment example policy allows inline tags when embedder fixeswidth
of container , doesn't hideoverflow
.
Comments
Post a Comment