BAEL-9261 (#18548)

wynnteo · Wynn Teo · web-flow · commit a467e305665d · 2025-05-21T20:25:53.000-05:00
Co-authored-by: Wynn Teo &lt;wynnteo@Wynns-MacBook-Pro.local&gt;
diff --git a/jsoup/pom.xml b/jsoup/pom.xml
@@ -19,10 +19,16 @@
             <artifactId>jsoup</artifactId>
             <version>${jsoup.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+            <artifactId>owasp-java-html-sanitizer</artifactId>
+            <version>${owasp.version}</version>
+        </dependency>
     </dependencies>
 
     <properties>
         <jsoup.version>1.17.2</jsoup.version>
+        <owasp.version>20240325.1</owasp.version>
     </properties>
 
 </project>
diff --git a/jsoup/src/main/java/com/baeldung/jsoup/HTMLSanitizer.java b/jsoup/src/main/java/com/baeldung/jsoup/HTMLSanitizer.java
@@ -0,0 +1,45 @@
+package com.baeldung.jsoup;
+
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Safelist;
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
+
+public class HTMLSanitizer {
+
+    private static final PolicyFactory POLICY = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
+    private static final PolicyFactory HTML_POLICY = new HtmlPolicyBuilder().allowCommonBlockElements()
+        .allowCommonInlineFormattingElements()
+        .toFactory();
+
+    private static final PolicyFactory CUSTOM_POLICY = new HtmlPolicyBuilder().allowElements("a", "p", "div", "span", "h1", "h2", "h3")
+        .allowUrlProtocols("https")
+        .allowAttributes("href")
+        .onElements("a")
+        .requireRelNofollowOnLinks()
+        .allowAttributes("class")
+        .globally()
+        .allowStyling()
+        .toFactory();
+
+    public static String sanitizeUsingBasic(String htmlContent) {
+        return POLICY.sanitize(htmlContent);
+    }
+
+    public static String sanitizeUsingHTMLPolicy(String html) {
+        return HTML_POLICY.sanitize(html);
+    }
+
+    public static String sanitizeUsingCustomPolicy(String html) {
+        return CUSTOM_POLICY.sanitize(html);
+    }
+
+    public static String sanitizeUsingJsoup(String html) {
+        Safelist safelist = Safelist.basic()
+            .addTags("h1", "h2", "h3")
+            .addAttributes("a", "target")
+            .addProtocols("a", "href", "http", "https");
+        return Jsoup.clean(html, safelist);
+    }
+}
diff --git a/jsoup/src/test/java/com/baeldung/jsoup/HTMLSanitizerUnitTest.java b/jsoup/src/test/java/com/baeldung/jsoup/HTMLSanitizerUnitTest.java
@@ -0,0 +1,42 @@
+package com.baeldung.jsoup;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import org.junit.jupiter.api.Test;
+
+public class HTMLSanitizerUnitTest {
+
+    @Test
+    void givenScriptAndBasicTags_whenSanitizedWithBasicPolicy_thenStripScriptAndKeepFormatting() {
+        String input = "<script>alert('XSS')</script><b>Hello</b> <a href='https://example.com'>link</a>";
+        String expectedOutput = "<b>Hello</b> <a href=\"https://example.com\" rel=\"nofollow\">link</a>";
+
+        String sanitized = HTMLSanitizer.sanitizeUsingBasic(input);
+        assertEquals(expectedOutput, sanitized);
+    }
+
+    @Test
+    void givenStyledHeadingAndUnsafeLink_whenSanitizedWithCustomPolicy_thenAllowOnlySafeContent() {
+        String input = "<h1 class='title' style='color:red;'>Welcome</h1>"
+            + "<a href='https://example.com' onclick='stealCookies()'>Click</a>"
+            + "<script>alert('xss');</script>";
+        String expectedOutput = "<h1 class=\"title\" style=\"color:red\">Welcome</h1><a href=\"https://example.com\" rel=\"nofollow\">Click</a>";
+        String sanitized = HTMLSanitizer.sanitizeUsingCustomPolicy(input);
+        assertEquals(expectedOutput, sanitized);
+    }
+
+    @Test
+    void givenMixedHtml_whenSanitizedWithCustomPolicy_thenApplyCustomRules() {
+        String input = "<div><span style='color:blue'>Hello</span><script>alert('hack')</script></div>";
+        String expectedOutput = "<div><span style=\"color:blue\">Hello</span></div>";
+        String sanitized = HTMLSanitizer.sanitizeUsingCustomPolicy(input);
+        assertEquals(expectedOutput, sanitized);
+    }
+
+    @Test
+    void givenJavascriptHrefAndTargetAttribute_whenSanitizedWithJsoup_thenOnlyAllowSafeContent() {
+        String input = "<h1 onclick='x()'>Title</h1><a href='javascript:alert(1)' target='_blank'>Click</a>";
+        String expectedOutput = "<h1>Title</h1><a target=\"_blank\" rel=\"nofollow\">Click</a>";
+        String sanitized = HTMLSanitizer.sanitizeUsingJsoup(input);
+        assertEquals(expectedOutput, sanitized);
+    }
+}
