How to allow embedded images when sanitizing html with OWASP Java HTML Sanitizer

Question

I would like to allow:

<img src="data:image/jpg;base64,..."/>

I see there's documentation on how to do this but I don't understand how to implement it. I tried to add the pattern

.allowUrlProtocols("data")
.allowAttributes("src").matching(Pattern.compile("$data:image.*")).onElements("img")

But that didn't work. I understand the pattern must be a regex expression but I'm not sure I understand how it all links up. I get that it's trying to look for img tags and then looks at the src attribute. My understanding is that it should then look for the string data:image and if finds that allows it through. But that's not happening...

Answer 1

The issue is that I had:

private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
    .allowUrlProtocols("data")
    .allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL).onElements("img")
    .allowAttributes("src").matching(Pattern.compile("^.*data:image/.*$")).onElements("img")
    .toFactory();

This caused an issue in that I assumed allowAttribute would combine both. Instead what you have to do is OR the pattern matching (for whatever pattern you want to match) as in:

Pattern EMBEDDED_IMAGE = Pattern.compile("^.*data:image/.*$")
ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE = matchesEither(ONSITE_URL, OFFSITE_URL, EMBEDDED_IMAGE);

private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
    .allowUrlProtocols("data")
    .allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE).onElements("img")
    .toFactory();

This code assumes you're using the EbayPolicyExample

Answer 2

If you got here (like I did) but you are using the HTMLSanitizer for C#, then the answer is:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedSchemes.Add("data");