Hibernate Validator @SafeHtml does not allow custom HTML tags and attributes… here is a solution to the problem.
Hibernate Validator @SafeHtml does not allow custom HTML tags and attributes
I
have a Java-based backend where I use Hibernate for some more specific bean validation, i.e.: @SafeHtml. It works well for 99% of my needs, however, I have a section that allows users to enter basic HTML to create their own header/footer. Therefore, I need to relax the restrictions here.
For some reason, something is wrong in my code. I’m getting a 400 error request. I really appreciate any help. Thanks in advance!
HTML:
<table bgcolor="navy" cellpadding="0" cellspacing="0" border="0" height="60" width="600" style="border-collapse:collapse; ">
<tr>
<td>
<div style="display:none; font-size:1px; line-height:1px; max-height:0px; max-width:0px;opacity:0;overflow:hidden; mso-hide:all; font-family: sans-serif; ">
</div>
<table align="left" width="600" class="email-container" cellpadding="0" cellspacing="0" border="0">
<tr>
<td style="padding: 20px 10px; width: 100%; font-size: 12px; mso-height-rule: exactly; line-height:14px; text-align: center; color: #CCCCCC; ">
© HELLO WORLD All rights reserved - <a href="https://www.someUrl" style="color: #CCCCCC" target="new" rel="noopener noreferrer">Privacy Policy GK</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
Java:
@SafeHtml(whitelistType = SafeHtml.WhiteListType.RELAXED,
additionalTags = {"html", "tr", "body", "b", "i", "table", "td", "center", "div", "a", "img", "font"},
additionalTagsWithAttributes = {
@SafeHtml.Tag(name = "a", attributesWithProtocols = @SafeHtml.Attribute(name = "href", protocols = "#")),
@SafeHtml.Tag(name = "a", attributes = {"href"}),
@SafeHtml.Tag(name = "body", attributes = {"bgcolor", "width", "style"}),
@SafeHtml.Tag(name = "table", attributes = {"align", "bgcolor", "cellpadding", "cellspacing", "border", "height", "width", "style", "color", "class"}),
@SafeHtml.Tag(name = "td", attributes = {"style", "align", "bgcolor"}),
@SafeHtml.Tag(name = "font", attributes = {"face"}),
@SafeHtml.Tag(name = "img", attributes = {"src", "width", "height", "alt", "border"}),
@SafeHtml.Tag(name = ":all", attributes = {"style", "dir", "checked", "class", "id", "target", "title", "type"})
})
Solution
You are not allowed to use “rel” in “a”. Try it:
@SafeHtml.Tag(name = "a", attributes = {"href", "rel"}),
It will work.
Full test source:
package org.example;
import static org.junit.Assert.assertTrue;
import org.hibernate.validator.constraints.SafeHtml;
import org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator;
import org.junit.Test;
@SafeHtml(whitelistType = SafeHtml.WhiteListType.RELAXED,
additionalTags = {"html", "tr", "body", "b", "i", "table", "td", "center", "div", "a", "img", "font"},
additionalTagsWithAttributes = {
@SafeHtml.Tag(name = "a", attributesWithProtocols = @SafeHtml.Attribute(name = "href", protocols = "#")),
@SafeHtml.Tag(name = "a", attributes = {"href", "rel"}),
@SafeHtml.Tag(name = "body", attributes = {"bgcolor", "width", "style"}),
@SafeHtml.Tag(name = "table", attributes = {"align", "bgcolor", "cellpadding", "cellspacing", "border", "height", "width", "style", "color", "class"}),
@SafeHtml.Tag(name = "td", attributes = {"style", "align", "bgcolor"}),
@SafeHtml.Tag(name = "font", attributes = {"face"}),
@SafeHtml.Tag(name = "img", attributes = {"src", "width", "height", "alt", "border"}),
@SafeHtml.Tag(name = ":all", attributes = {"style", "dir", "checked", "class", "id", "target", "title", "type"})
})
public class Q60122842Test
{
@Test
public void isValid()
{
String value = " <table bgcolor=\"navy\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" height=\"60\" width=\"600\" style=\"border-collapse:collapse;\">\n" +
" <tr>\n" +
" <td>\n" +
" <div style=\"display:none; font-size:1px; line-height:1px; max-height:0px; max-width:0px;opacity:0;overflow:hidden; mso-hide:all; font-family: sans-serif;\">\n" +
" </div>\n" +
" <table align=\"left\" width=\"600\" class=\"email-container\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\">\n" +
" <tr>\n" +
" <td style=\"padding: 20px 10px; width: 100%; font-size: 12px; mso-height-rule: exactly; line-height:14px; text-align: center; color: #CCCCCC;\">\n" +
" © HELLO WORLD All rights reserved - <a href=\"https://www.someUrl\" style=\"color: #CCCCCC\" target=\"new\" rel=\"noopener noreferrer\">Privacy Policy GK</a>\n" +
" </td>\n" +
" </tr>\n" +
" </table>\n" +
" </td>\n" +
" </tr>\n" +
" </table>";
SafeHtml annotation = Q60122842Test.class.getAnnotation(SafeHtml.class);
SafeHtmlValidator validator = new SafeHtmlValidator();
validator.initialize( annotation );
assertTrue(validator.isValid(value, null));
}
}