<u href="javascript:toggleTable('*****')" onMouseOver="this.style.color='red'" onMouseOut="this.style.color='#000000'">*****</u>
Above element under th tag after sanitising href attribute is not coming as shown below :
<u onmouseover="this.style.color='red'" onmouseout="this.style.color='#000000'">*****</u>
Below is the code snippet which I'm trying to allow href attribute under u element :
PolicyFactory html = new HtmlPolicyBuilder()
.allowElements("u")
.allowAttributes("href", "onMouseOver", "onMouseOut").onElements("u")
.allowTextIn("u")
.allowCommonBlockElements()
.allowCommonInlineFormattingElements()
.allowStandardUrlProtocols()
.allowUrlProtocols("href")
.allowStyling()
.requireRelNofollowOnLinks()
.allowAttributes("href").globally()
.toFactory();
same issue I'm facing with table and tr element as well. Style attribute is not coming under table and tr element also.
Any suggestion/help is appreciated. Thanks in advance.
The href attribute is being removed because it doesn't have an allowed protocol. If .allowUrlProtocols("href") is changed to .allowUrlProtocols("javascript") then it would be allowed.
Allowing javascript URLs, or onMouseOver and onMouseOut attributes will allow scripts to be executed though and be vulnerable to XSS attacks.
Instead, you can change the design. Mouse-over styling doesn't need JavaScript. It can be done the CSS :hover selectors.