idungotnosn idungotnosn - 6 months ago 14x
HTML Question

Why is the "display" css property not in the default whitelist for the owasp java library?

I am currently using the owasp java library on a backend service in order to sanitize HTML sent from the client. The owasp java library has a CSS whitelist of css rules that it will allow inside of any style tag inside of html elements. You can find that whitelist here.

One thing that I noticed about this whitelist is that the

property is omitted. This means that if I create HTML code like the following:

<div style="margin-left:0px;display:none;"></div>

then the HTML sanitizer with the default styling whitelist will strip out the display rule and the HTML saved on the server will be:

<div style="margin-left:0px;"></div>

Why is the
property not white-listed by default?


Because then the other white-listed styles wouldn't work due to the element not being displayed at all


display has a lot of weird edge cases that affect layout in weird ways.

inline, block, and inline-block are likely safe in most contexts.

fixed is probably safe in none.

table and others are probably dodgy since there may be ways to break visual containment.

Even block and inline block can break visual containment for example with a policy that only allows inline tags when the embedder fixes the width of the container and doesn't hide overflow.