I would like to allow:
<img src="data:image/jpg;base64,..."/>
I see there's documentation on how to do this but I don't understand how to implement it. I tried to add the pattern
.allowUrlProtocols("data")
.allowAttributes("src").matching(Pattern.compile("$data:image.*")).onElements("img")
But that didn't work. I understand the pattern must be a regex expression but I'm not sure I understand how it all links up. I get that it's trying to look for img tags and then looks at the src attribute. My understanding is that it should then look for the string data:image and if finds that allows it through. But that's not happening...
The issue is that I had:
private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowUrlProtocols("data")
.allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL).onElements("img")
.allowAttributes("src").matching(Pattern.compile("^.*data:image/.*$")).onElements("img")
.toFactory();
This caused an issue in that I assumed allowAttribute would combine both. Instead what you have to do is OR the pattern matching (for whatever pattern you want to match) as in:
Pattern EMBEDDED_IMAGE = Pattern.compile("^.*data:image/.*$")
ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE = matchesEither(ONSITE_URL, OFFSITE_URL, EMBEDDED_IMAGE);
private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowUrlProtocols("data")
.allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE).onElements("img")
.toFactory();
This code assumes you're using the EbayPolicyExample
If you got here (like I did) but you are using the HTMLSanitizer for C#, then the answer is:
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedSchemes.Add("data");
来源:https://stackoverflow.com/questions/47345392/how-to-allow-embedded-images-when-sanitizing-html-with-owasp-java-html-sanitizer