diff --git a/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlStreamRenderer.java b/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlStreamRenderer.java
index 7e657ee1..7d7a24d2 100644
--- a/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlStreamRenderer.java
+++ b/owasp-java-html-sanitizer/src/main/java/org/owasp/html/HtmlStreamRenderer.java
@@ -393,9 +393,11 @@ static boolean isValidHtmlName(String name) {
if (i == 0 || i + 1 == n) { return false; }
break;
case '-':
- case '_':
if (i == 0 || i + 1 == n) { return false; }
break;
+ case '_':
+ if (i + 1 == n) { return false; }
+ break;
default:
if (ch <= '9') {
if (i == 0 || ch < '0') { return false; }
diff --git a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java
index 1ff169df..b6693349 100644
--- a/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java
+++ b/owasp-java-html-sanitizer/src/test/java/org/owasp/html/HtmlSanitizerTest.java
@@ -195,6 +195,13 @@ public static final void testEmptyAndValuelessAttributes() {
sanitize(""));
}
+ @Test
+ public final void testAllowedAttributes() {
+ assertEquals(
+ "",
+ sanitize(""));
+ }
+
@Test
public static final void testSgmlShortTags() {
// We make no attempt to correctly handle SGML short tags since they are
@@ -471,7 +478,8 @@ public void handle(String errorMessage) {
"ol", "p", "span", "ul", "noscript", "noframes", "noembed", "noxss")
// And these attributes.
.allowAttributes(
- "dir", "checked", "class", "href", "id", "target", "title", "type")
+ "dir", "checked", "class", "href", "id", "target", "title", "type",
+ "__foo", "__bar", "foo-bar")
.globally()
// Cleanup IDs and CLASSes and prefix them with p- to move to a separate
// name-space.