为什么 "display" css 属性 不在 owasp java 库的默认白名单中?
Why is the "display" css property not in the default whitelist for the owasp java library?
我目前正在使用 owasp java library on a backend service in order to sanitize HTML sent from the client. The owasp java library has a CSS whitelist of css rules that it will allow inside of any style tag inside of html elements. You can find that whitelist here。
关于这个白名单,我注意到的一件事是 display 属性 被省略了。这意味着如果我创建如下 HTML 代码:
<div style="margin-left:0px;display:none;"></div>
然后具有默认样式白名单的 HTML 消毒程序将去除显示规则,并且服务器上保存的 HTML 将是:
<div style="margin-left:0px;"></div>
为什么 display 属性 默认不在白名单中?
因为其他列入白名单的样式将因该元素根本未显示而无法工作
更新
display has a lot of weird edge cases that affect layout in weird
ways.
inline, block, and inline-block are likely safe in most contexts.
fixed is probably safe in none.
table and others are probably dodgy since there may be ways to break
visual containment.
Even block and inline block can break visual containment for example
with a policy that only allows inline tags when the embedder fixes the
width of the container and doesn't hide overflow.
我目前正在使用 owasp java library on a backend service in order to sanitize HTML sent from the client. The owasp java library has a CSS whitelist of css rules that it will allow inside of any style tag inside of html elements. You can find that whitelist here。
关于这个白名单,我注意到的一件事是 display 属性 被省略了。这意味着如果我创建如下 HTML 代码:
<div style="margin-left:0px;display:none;"></div>
然后具有默认样式白名单的 HTML 消毒程序将去除显示规则,并且服务器上保存的 HTML 将是:
<div style="margin-left:0px;"></div>
为什么 display 属性 默认不在白名单中?
因为其他列入白名单的样式将因该元素根本未显示而无法工作
更新
displayhas a lot of weird edge cases that affect layout in weird ways.
inline,block, andinline-blockare likely safe in most contexts.
fixedis probably safe in none.
tableand others are probably dodgy since there may be ways to break visual containment.Even
blockandinline blockcan break visual containment for example with a policy that only allows inline tags when the embedder fixes thewidthof the container and doesn't hideoverflow.