PolicyFactory Sanitize method weird output


From Toombs....@gmail.com on February 07, 2014 14:39:06

What steps will reproduce the problem? 1. Create PolicyFactory with all added sanitizers (Formatting/Images/Links/Styles/Blocks)
2. Pass "<b><h1>text</h1></b>" to the PolicyFactory.sanitize(String html)
3. Result returned is "<b></b><b><h1>text</h1></b>" What is the expected output? What do you see instead? -Expected "<b><h1>text</h1></b>"
-Received "<b></b><b><h1>text</h1></b>" What version of the product are you using? On what operating system? -Windows 7 64-bit
-Maven dependency:
<version> r209 </version>
</dependency> Does this issue affect only a specified browser or set of browsers? -This is browser unrelated, testing simply through JUnit tests Please provide any additional information below. I am currently using this method in a loop and exiting the loop when the string has been fully sanitized based on the idea that it will be sanitized when the previous sanitization result will equal the current sanitization result. Unfortunately, with this issue, on some inputs the sanitize method does not stop adding tags resulting in an infinite loop because the previous sanitization of the string will never equal the current sanitization of the string.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=318






Max Gelman