<span> elements get removed even when allowed by the policy

[kocakosm]

Hi,

<span> elements get removed by the sanitizer even when they are allowed by the policy.

For instance I'd expect the following code :

Sanitizers.FORMATTING.sanitize("<span>Hi!</span>")

to return <span>Hi!</span> instead of Hi!.

The exact same behaviour can be observed with a custom policy :

new HtmlPolicyBuilder().allowElements("span").toFactory().sanitize("<span>Hi!</span>")

returns Hi! instead of <span>Hi!</span>.

Also, note that other HTML5 inline formatting elements (such as b, i, s, u, sup, sub, ins, del, strong, code, small and em) are not affected by this "bug".

Thanks for your help.

[kocakosm]

You can see this behaviour in this sample project.

[csware]

Empty span is dropped, because it is part on DEFAULT_SKIP_IF_EMPTY.

You need to allow it using allowWithoutAttributes. cf.

java-html-sanitizer/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java

Lines 712 to 723 in 91c5fdc

	public static final void testSpanTagFilter() {
	PolicyFactory policy = new HtmlPolicyBuilder()
	.allowElements("span")
	.allowWithoutAttributes("span")
	.toFactory();
	String unsafeHtml = policy.sanitize(
	"<span>test1</span>");
	String safeHtml = policy.sanitize(unsafeHtml);
	String expected =
	"<span>test1</span>";
	assertEquals(expected, safeHtml);
	}