hmcts · justiceia · Jun 17, 2025 · Jun 19, 2025 · Jun 19, 2025 · Jun 19, 2025
diff --git a/src/functionalTest/java/uk/gov/hmcts/dts/fact/admin/AdminCourtFacilityEndpointTest.java b/src/functionalTest/java/uk/gov/hmcts/dts/fact/admin/AdminCourtFacilityEndpointTest.java
@@ -1,6 +1,7 @@
 package uk.gov.hmcts.dts.fact.admin;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import org.apache.commons.text.StringEscapeUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -150,8 +151,12 @@ private List<Facility> getCurrentFacilities() {
     @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
     private List<Facility> updateFacilities(final List<Facility> facilities) {
         for (Facility facility: facilities) {
-            facility.setDescription(OwaspHtmlSanitizer.sanitizeHtml(facility.getDescription()));
-            facility.setDescriptionCy(OwaspHtmlSanitizer.sanitizeHtml(facility.getDescriptionCy()));
+            facility.setDescription(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(facility.getDescription())
+            )));
+            facility.setDescriptionCy(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(facility.getDescriptionCy())
+            )));
         }
         final List<Facility> updatedFacilities = new ArrayList<>(facilities);
         Facility facility = new Facility();

diff --git a/src/integrationTest/resources/deprecated/aylesbury-magistrates-court-and-family-court.json b/src/integrationTest/resources/deprecated/aylesbury-magistrates-court-and-family-court.json
@@ -62,31 +62,31 @@
   ],
   "facilities": [
     {
-      "description": "<p>Assistance dogs are welcome.</p>",
+      "description": "Assistance dogs are welcome.",
       "name": "Assistance dogs"
     },
     {
-      "description": "<p>The car park is unavailable for public access.</p>\r\n<p>&nbsp;</p>",
+      "description": "The car park is unavailable for public access.\r\n ",
       "name": "Parking"
     },
     {
-      "description": "<p>4 interview rooms are available on the ground floor</p>",
+      "description": "4 interview rooms are available on the ground floor",
       "name": "Interview room"
     },
     {
-      "description": "<p>The building has hearing enhancement facilities available by prior arrangement.&nbsp; Please contact the Court office by telephone or email if necessary.</p>",
+      "description": "The building has hearing enhancement facilities available by prior arrangement.  Please contact the Court office by telephone or email if necessary.",
       "name": "Hearing Loop"
     },
     {
-      "description": "<p>Baby changing facilities are available in the disabled toilets on the ground floor</p>\r\n<p>&nbsp;</p>",
+      "description": "Baby changing facilities are available in the disabled toilets on the ground floor\r\n ",
       "name": "Baby changing facility"
     },
     {
-      "description": "<p>This building has level access to the building entrance, and court room.</p>\r\n<p>&nbsp;</p>",
+      "description": "This building has level access to the building entrance, and court room.\r\n ",
       "name": "Disabled access"
     },
     {
-      "description": "<p>Video conference facilities excluding prison to court video links</p>",
+      "description": "Video conference facilities excluding prison to court video links",
       "name": "Video facilities"
     },
     {

diff --git a/src/main/java/uk/gov/hmcts/dts/fact/html/sanitizer/OwaspHtmlSanitizer.java b/src/main/java/uk/gov/hmcts/dts/fact/html/sanitizer/OwaspHtmlSanitizer.java
@@ -15,12 +15,7 @@ private OwaspHtmlSanitizer() {
      * @return the sanitized HTML string
      */
     public static String sanitizeHtml(String untrustedHtml) {
-        PolicyFactory policy = new HtmlPolicyBuilder()
-            .allowElements("a", "strong", "em")
-            .allowUrlProtocols("https", "mailto")
-            .allowAttributes("href").onElements("a")
-            .requireRelNofollowOnLinks()
-            .toFactory();
+        PolicyFactory policy = new HtmlPolicyBuilder().toFactory();
         return policy.sanitize(untrustedHtml);
     }
 }
diff --git a/src/main/java/uk/gov/hmcts/dts/fact/services/admin/AdminCourtFacilityService.java b/src/main/java/uk/gov/hmcts/dts/fact/services/admin/AdminCourtFacilityService.java
@@ -1,5 +1,6 @@
 package uk.gov.hmcts.dts.fact.services.admin;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -75,8 +76,12 @@ public List<Facility> updateCourtFacility(final String slug, final List<Facility
             .orElseThrow(() -> new NotFoundException(slug));
 
         courtFacilities.forEach(facility -> {
-            facility.setDescription(OwaspHtmlSanitizer.sanitizeHtml(facility.getDescription()));
-            facility.setDescriptionCy(OwaspHtmlSanitizer.sanitizeHtml(facility.getDescriptionCy()));
+            facility.setDescription(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(facility.getDescription())
+            )));
+            facility.setDescriptionCy(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(facility.getDescriptionCy())
+            )));
         });
 
         List<CourtFacility> existingList = getExistingCourtFacilities(courtEntity);

diff --git a/src/main/java/uk/gov/hmcts/dts/fact/services/admin/AdminCourtGeneralInfoService.java b/src/main/java/uk/gov/hmcts/dts/fact/services/admin/AdminCourtGeneralInfoService.java
@@ -1,5 +1,6 @@
 package uk.gov.hmcts.dts.fact.services.admin;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -63,16 +64,27 @@ public CourtGeneralInfo updateCourtGeneralInfo(final String slug, final CourtGen
             .orElseThrow(() -> new NotFoundException(slug));
 
         final CourtGeneralInfo originalGeneralInfo = new CourtGeneralInfo(courtEntity);
-        courtEntity.setAlert(OwaspHtmlSanitizer.sanitizeHtml(generalInfo.getAlert()));
-        courtEntity.setAlertCy(OwaspHtmlSanitizer.sanitizeHtml(generalInfo.getAlertCy()));
+
+        //here we are unescaping anything temporarily so owasp can safely remove them
+        //after we still have escaped bits (that are safe) so we now need to turn them back into safe html for saving
+        courtEntity.setAlert(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+            StringEscapeUtils.unescapeHtml4(generalInfo.getAlert())
+        )));
+        courtEntity.setAlertCy(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+            StringEscapeUtils.unescapeHtml4(generalInfo.getAlertCy())
+        )));
 
         if (rolesProvider.getRoles().contains(FACT_SUPER_ADMIN)) {
             String newSlug = Utils.convertNameToSlug(generalInfo.getName());
             checkIfUpdatedCourtIsValid(courtEntity.getSlug(), newSlug);
             courtEntity.setName(generalInfo.getName());
             courtEntity.setSlug(newSlug);
-            courtEntity.setInfo(generalInfo.getInfo());
-            courtEntity.setInfoCy(generalInfo.getInfoCy());
+            courtEntity.setInfo(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(generalInfo.getInfo())
+            )));
+            courtEntity.setInfoCy(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                StringEscapeUtils.unescapeHtml4(generalInfo.getInfoCy())
+            )));
             courtEntity.setDisplayed(generalInfo.getOpen());
 
             if (generalInfo.isServiceCentre()) {
@@ -81,12 +93,22 @@ public CourtGeneralInfo updateCourtGeneralInfo(final String slug, final CourtGen
                     // intro paragraph, or otherwise if one exists, alter the rows instead
                     ServiceCentre serviceCentre = new ServiceCentre();
                     serviceCentre.setCourtId(courtEntity);
-                    serviceCentre.setIntroParagraph(generalInfo.getScIntroParagraph());
-                    serviceCentre.setIntroParagraphCy(generalInfo.getScIntroParagraphCy());
+                    serviceCentre.setIntroParagraph(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                        StringEscapeUtils.unescapeHtml4(generalInfo.getScIntroParagraph())
+                    )));
+                    serviceCentre.setIntroParagraphCy(StringEscapeUtils.unescapeHtml4(OwaspHtmlSanitizer.sanitizeHtml(
+                        StringEscapeUtils.unescapeHtml4(generalInfo.getScIntroParagraphCy())
+                    )));
                     courtEntity.setServiceCentre(serviceCentre);
                 } else {
-                    courtEntity.getServiceCentre().setIntroParagraph(generalInfo.getScIntroParagraph());
-                    courtEntity.getServiceCentre().setIntroParagraphCy(generalInfo.getScIntroParagraphCy());
+                    courtEntity.getServiceCentre().setIntroParagraph(StringEscapeUtils.unescapeHtml4(
+                        OwaspHtmlSanitizer.sanitizeHtml(StringEscapeUtils.unescapeHtml4(
+                            generalInfo.getScIntroParagraph())
+                    )));
+                    courtEntity.getServiceCentre().setIntroParagraphCy(StringEscapeUtils.unescapeHtml4(
+                        OwaspHtmlSanitizer.sanitizeHtml(StringEscapeUtils.unescapeHtml4(
+                            generalInfo.getScIntroParagraphCy())
+                    )));
                 }
             }
         }