am 7d075562: fix issue 24: protocol whitelisting not case-insensitive

* commit '7d0755627f174ec9d5f148bd9fa3a5cc732edb3f':
  fix issue 24: protocol whitelisting not case-insensitive

2 files changed, 29 insertions, 1 deletions

diff --git a/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java b/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java
index 855d45c..48c9723 100644
--- a/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java
+++ b/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java
@@ -77,7 +77,8 @@ public class FilterUrlByProtocolAttributePolicy implements AttributePolicy {
           }
           break protocol_loop;
         case ':':
-          if (!protocols.contains(s.substring(0, i))) { return null; }
+          String protocol = Strings.toLowerCase(s.substring(0, i));
+          if (!protocols.contains(protocol)) { return null; }
           break protocol_loop;
       }
     }
diff --git a/src/tests/org/owasp/html/SanitizersTest.java b/src/tests/org/owasp/html/SanitizersTest.java
index 50c0353..052ab02 100644
--- a/src/tests/org/owasp/html/SanitizersTest.java
+++ b/src/tests/org/owasp/html/SanitizersTest.java
@@ -158,6 +158,11 @@ public class SanitizersTest extends TestCase {
             "<a href=\"https://example.com/x.html\""
             + " onclick=\"alert(1337)\">Link text</a>"));
     assertEquals(
+        "<a href=\"HTTPS://example.com/x.html\" rel=\"nofollow\">Link text</a>",
+        s.sanitize(
+            "<a href=\"HTTPS://example.com/x.html\""
+            + " onclick=\"alert(1337)\">Link text</a>"));
+    assertEquals(
         "<a href=\"//example.com/x.html\" rel=\"nofollow\">Link text</a>",
         s.sanitize(
             "<a href=\"//example.com/x.html\""
@@ -175,6 +180,28 @@ public class SanitizersTest extends TestCase {
   }
 
   @Test
+  public static final void testExplicitlyAllowedProtocolsAreCaseInsensitive() {
+    // Issue 24.
+    PolicyFactory s = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href").onElements("a")
+        .allowStandardUrlProtocols()
+        .allowUrlProtocols("file")  // Don't try this at home
+        .toFactory();
+    String input = (
+        "<a href='file:///etc/passwd'>Copy and paste this into email</a>"
+        + "<a href='FILE:///etc/passwd'>Or this one</a>"
+        + "<a href='F\u0130LE:///etc/passwd'>not with Turkish dotted I's</a>"
+        + "<a href='fail:///etc/passed'>The fail protocol needs to happen</a>");
+    String want = (
+        "<a href=\"file:///etc/passwd\">Copy and paste this into email</a>"
+        + "<a href=\"FILE:///etc/passwd\">Or this one</a>"
+        + "not with Turkish dotted I&#39;s"
+        + "The fail protocol needs to happen");
+    assertEquals(want, s.sanitize(input));
+  }
+
+  @Test
   public static final void testIssue9StylesInTables() {
     String input = ""
         + "<table style=\"color: rgb(0, 0, 0);"