Example 1 with CssSchema
use of org.owasp.html.CssSchema in project zm-mailbox by Zimbra.
the class OwaspPolicyProducer method setUp.
private static void setUp(boolean neuterImages) {
HtmlElementsBuilder builder = new HtmlElementsBuilder(new HtmlAttributesBuilder(), neuterImages);
List<HtmlElement> allowedElements = builder.build();
HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
policyBuilder.requireRelNofollowOnLinks();
for (HtmlElement htmlElement : allowedElements) {
htmlElement.configure(policyBuilder, neuterImages);
}
Set<String> disallowTextElements = OwaspPolicy.getDisallowTextElements();
for (String disAllowTextElement : disallowTextElements) {
policyBuilder.disallowTextIn(disAllowTextElement.trim());
}
Set<String> allowTextElements = OwaspPolicy.getAllowTextElements();
for (String allowTextElement : allowTextElements) {
policyBuilder.allowTextIn(allowTextElement.trim());
}
/**
* The following CSS properties do not appear in the default whitelist from
* OWASP, but they improve the fidelity of the HTML display without
* unacceptable risk.
*/
Set<String> cssWhitelist = OwaspPolicy.getCssWhitelist();
CssSchema ADDITIONAL_CSS = null;
if (!cssWhitelist.isEmpty()) {
ADDITIONAL_CSS = CssSchema.withProperties(cssWhitelist);
}
Set<String> urlProtocols = OwaspPolicy.getURLProtocols();
for (String urlProtocol : urlProtocols) {
policyBuilder.allowUrlProtocols(urlProtocol.trim());
}
if (neuterImages) {
if (policyNeuterImagesTrue == null) {
policyNeuterImagesTrue = policyBuilder.allowStyling(ADDITIONAL_CSS == null ? CssSchema.DEFAULT : CssSchema.union(CssSchema.DEFAULT, ADDITIONAL_CSS)).toFactory();
}
} else {
if (policyNeuterImagesFalse == null) {
policyNeuterImagesFalse = policyBuilder.allowStyling(ADDITIONAL_CSS == null ? CssSchema.DEFAULT : CssSchema.union(CssSchema.DEFAULT, ADDITIONAL_CSS)).toFactory();
}
}
}
Also used :
CssSchema(org.owasp.html.CssSchema)
HtmlPolicyBuilder(org.owasp.html.HtmlPolicyBuilder)
Aggregations
