From d1260ebe3c11006efcb0e7ad755514f5e308ba1c Mon Sep 17 00:00:00 2001
From: subbudvk <115633743+subbudvk@users.noreply.github.com>
Date: Tue, 27 Feb 2024 14:24:28 +0530
Subject: [PATCH 1/2] Fix: Support table attributes

---
 src/main/java/org/owasp/html/Sanitizers.java | 26 ++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/src/main/java/org/owasp/html/Sanitizers.java b/src/main/java/org/owasp/html/Sanitizers.java
index ed6f4d93..cae80e75 100644
--- a/src/main/java/org/owasp/html/Sanitizers.java
+++ b/src/main/java/org/owasp/html/Sanitizers.java
@@ -27,6 +27,9 @@
 // POSSIBILITY OF SUCH DAMAGE.
 
 package org.owasp.html;
+import java.util.Arrays;
+import java.util.List;
+
 
 /**
  * Pre-packaged HTML sanitizer policies.
@@ -52,6 +55,25 @@
  */
 public final class Sanitizers {
 
+  
+  /**
+   * An AttributePolicy to allow only string literals "row", "col", "rowgroup" and "colgroup" as attribute values for "scope" in element th
+   * Reference : https://developer.mozilla.org/en-US/docs/Web/HTML/Element/th
+   */
+  private static final AttributePolicy TABLE_SCOPE_POLICY = new AttributePolicy() {
+
+	private List<String> thScopeWhitelistValues = Arrays.asList("row","col","rowgroup","colgroup");
+	  
+	@Override
+	public String apply(String elementName, String attributeName, String value) {
+		if("scope".equals(attributeName)) {
+			if(thScopeWhitelistValues.contains(value.toLowerCase()))	
+				return value;
+		}
+		return null;
+	}
+  };
+  
   /**
    * Allows common formatting elements including {@code <b>}, {@code <i>}, etc.
    */
@@ -93,6 +115,10 @@ public final class Sanitizers {
     .onElements("table", "tr", "td", "th",
                 "colgroup", "col",
                 "thead", "tbody", "tfoot")
+    .allowAttributes("colspan","rowspan","headers")
+    .onElements("td","th")
+    .allowAttributes("scope").matching(TABLE_SCOPE_POLICY)
+    .onElements("th")
     .allowTextIn("table")  // WIDGY
     .toFactory();
 

From 6e50ad815d660f992d7dcc67e6a0e533494564b3 Mon Sep 17 00:00:00 2001
From: subbudvk <115633743+subbudvk@users.noreply.github.com>
Date: Tue, 27 Feb 2024 14:26:37 +0530
Subject: [PATCH 2/2] Test : Add test for newly supported attributes

---
 src/test/java/org/owasp/html/SanitizersTest.java | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/test/java/org/owasp/html/SanitizersTest.java b/src/test/java/org/owasp/html/SanitizersTest.java
index 4cb7bbca..fe73bd02 100644
--- a/src/test/java/org/owasp/html/SanitizersTest.java
+++ b/src/test/java/org/owasp/html/SanitizersTest.java
@@ -59,6 +59,18 @@ public static final void testFormatting() {
             "<p>Hello, <b onclick=alert(1337)>World</b>!</p>"));
   }
 
+  @Test
+  public static final void testTableAttributes() {
+	  String input = "<table><tbody><tr align=\"center\"><th headers=\"test\">Month</th><th scope=\"rowgroup\">Test</th></tr>"
+	  		+ "<tr><td headers=\"name\">Test</td><td>A</td></tr><tr><td rowspan=\"2\">Test</td><td>B</td></tr><tr>"
+	  		+ "<td colspan=\"2\">Test</td></tr></tbody></table>";
+	  assertEquals(input, Sanitizers.TABLES.sanitize(input));
+	  
+	  //Negative test to ensure 'scope' doesn't allow random values
+	  assertEquals("<table><tbody><tr><th></th></tr></tbody></table>\n"
+			  	,Sanitizers.TABLES.sanitize("<table><tbody><tr><th scope=\"random\"></th></tr></tbody></table>\n"
+	  		+ ""));
+  }
   @Test
   public static final void testBlockElements() {
     assertEquals("", Sanitizers.BLOCKS.sanitize(null));