Add overflow-wrap to CssSchema definition list (#312)

Signed-off-by: Sven Strickroth <[email protected]> Co-authored-by: Mike Samuel <[email protected]>
OWASP · Feb 2, 2024 · 3c86741 · 3c86741
1 parent c42cc40
commit 3c86741
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/src/main/java/org/owasp/html/CssSchema.java b/src/main/java/org/owasp/html/CssSchema.java
@@ -424,6 +424,8 @@ Property forKey(String propertyName) {
         "auto", "inherit", "none");
     Set<String> overflowLiterals0 = Set.of(
         "auto", "hidden", "inherit", "scroll", "visible");
+    Set<String> overflowWrapLiterals0 = Set.of(
+        "normal", "break-word", "anywhere", "inherit");
     Set<String> overflowXLiterals0 = Set.of(
         "no-content", "no-display");
     Set<String> overflowXLiterals1 = Set.of(
@@ -668,6 +670,7 @@ Property forKey(String propertyName) {
     Property opacity = new Property(1, mozOpacityLiterals0, zeroFns);
     builder.put("opacity", opacity);
     builder.put("overflow", new Property(0, overflowLiterals0, zeroFns));
+    builder.put("overflow-wrap", new Property(0, overflowWrapLiterals0, zeroFns));
     @SuppressWarnings("unchecked")
     Property overflowX = new Property(
         0, union(overflowXLiterals0, overflowXLiterals1), zeroFns);

diff --git a/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java b/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -1029,6 +1029,38 @@ public static final void testSkipAndRequireRels() {
             pf.sanitize("<a href=\"http://example.com\" rel=noopener target=\"_blank\">eg</a>"));
   }
 
+  @Test
+  public static final void testOverflowWrap() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("span")
+        .allowStyling(CssSchema.union(CssSchema.DEFAULT, CssSchema.withProperties(List.of("overflow-wrap"))))
+        .toFactory();
+
+    assertEquals(
+        "<span style=\"overflow-wrap:anywhere\">Something</span>",
+        pf.sanitize("<span style=\"overflow-wrap: anywhere\">Something</span>"));
+
+    assertEquals(
+        "<span style=\"overflow-wrap:inherit\">Something</span>",
+        pf.sanitize("<span style=\"overflow-wrap: inherit\">Something</span>"));
+
+    assertEquals(
+        "Something",
+        pf.sanitize("<span style=\"overflow-wrap: something\">Something</span>"));
+  }
+
+  @Test
+  public static final void testOverflowWrapNotAllowed() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("span")
+        .allowStyling()
+        .toFactory();
+
+    assertEquals(
+        "Something",
+        pf.sanitize("<span style=\"overflow-wrap: anywhere\">Something</span>"));
+  }
+
   @Test
   public static final void testExplicitRelsSkip() {
     PolicyFactory pf = new HtmlPolicyBuilder()