html - Why is the "display" css property not in the default whitelist for the owasp java library? -


i using owasp java library on backend service in order sanitize html sent client. owasp java library has css whitelist of css rules allow inside of style tag inside of html elements. can find whitelist here.

one thing noticed whitelist display property omitted. means if create html code following:

<div style="margin-left:0px;display:none;"></div> 

then html sanitizer default styling whitelist strip out display rule , html saved on server be:

<div style="margin-left:0px;"></div> 

why display property not white-listed default?

because other white-listed styles wouldn't work due element not being displayed @

update

display has lot of weird edge cases affect layout in weird ways.

inline, block, , inline-block safe in contexts.

fixed safe in none.

table , others dodgy since there may ways break visual containment.

even block , inline block can break visual containment example policy allows inline tags when embedder fixes width of container , doesn't hide overflow.

source


Comments

Popular posts from this blog

java - nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet Hibernate+SpringMVC -

sql - Postgresql tables exists, but getting "relation does not exist" when querying -

asp.net mvc - breakpoint on javascript in CSHTML? -