[Owasp-antisamy] Error parsing <style> contents containing CDATA

Jason Li jason.li at owasp.org
Mon Nov 24 16:53:03 EST 2008


I'll have to take a look at how the SAC (Simple API for CSS) Parser works
with CDATA tags.

I've entered the issue into our bug tracker as ID 30 and you can follow the
status here:
http://code.google.com/p/owaspantisamy/issues/detail?id=30
--
-Jason Li-
-jason.li at owasp.org-


On Mon, Nov 24, 2008 at 4:10 PM, Gang Zheng <gzheng at gmail.com> wrote:

> Hi,
>
> I tried the following input string with AnitSamy and encountered an
> exception:
>
> Input String: <style type="text/css"><![CDATA[P {  margin-bottom:
> 0.08in; } ]]></style>
>
> org.apache.batik.css.parser.ParseException: character
>        at org.apache.batik.css.parser.Scanner.nextToken(Scanner.java:381)
>        at org.apache.batik.css.parser.Scanner.next(Scanner.java:222)
>        at
> org.apache.batik.css.parser.Parser.parseStyleSheet(Parser.java:185)
>        at
> org.owasp.validator.css.CssScanner.scanStyleSheet(CssScanner.java:124)
>        at
> org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:318)
>        at
> org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:135)
>        at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:99)
>
> I traced the code, and it seems that AntiSamy passes the text of
> "<![CDATA[P {  margin-bottom: 0.08in; } ]]>" to the CSS scanner, and
> the CSS scanner does not like <![CDATA[...]]> as the surrounding of
> the real style sheet contents.
>
> If I remove the CDATA from the input and change the style sheet
> contents to "<style type="text/css">P {  margin-bottom: 0.08in;
> }</style>", everything works fine.
>
> So my questions is, how can I make the AntiSamy/CSS Scanner correctly
> parse the CDATA contents? After all, the CDATA section in the original
> input is perfectly legal style sheet contents.
>
> Thanks,
>
> -Gang
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20081124/4ba40268/attachment.html 


More information about the Owasp-antisamy mailing list