why jsoup remove inlined stylesheet?

Question

i use jsoup for protect my app from XSS attack. i get all all input parameter and do Jsoup.clean on thats. but i have a problem with that.

it remove all inlined stylesheet! why? i have a part in my app that user can write a text and publish it as a announcement. he/she writes him/her text via TinyMCE and it add some html and stylesheet to user text. in the following you can see a example text created by tinymce:

User input: Center Aligned Text
TinyMCE result : <p style="text-align: center;">Center Aligned Text</p>
Jsoup.clean(text, Whitelist.relaxed()) output : <p>Center Aligned Text</p>

As can see Jsoup remove style of

tag. how i can say to it that don't remove simple css?
thanks.

Answer 1

By default Whitelist class removes style, but you can easily modify this behaviour and add support for style with addAttributes("p", "style").

Whitelist.relaxed().addAttributes("p", "style");

Explanation

This set attribute style to element p as ignored under cleaning. Only style from p will be not removed!

---

Verification code

Simply copy paste this code and invoke from main.

public static void main(String[] args) {
    String text = "<p style=\"text-align: center;\">Center Aligned Text</p>";
    String clean = Jsoup.clean(text, Whitelist.relaxed()
            .addAttributes("p", "style"));
    System.out.println(clean);
}

Result

<p style="text-align: center;">Center Aligned Text</p>

Dependency

org.jsoup:jsoup:1.7.3