[Owasp-antisamy] Null pointer is thrown when passing empty <style>element

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Nov 25 15:00:45 EST 2008


This has been fixed in my locale repository snapshot already - thanks!

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Gang Zheng
Sent: Tue 11/25/2008 12:55 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Null pointer is thrown when passing empty <style>element



Hi,

When I pass in a style sheet containing an empty <style> element, the
AntiSamy code throws Null pointer exception.

To reproduce, pass an input string of "<style type="text/css"></style>".

There is a defect in AntiSamyDOMScanner.java, around line number 315.
The current code calls "node.getFirstChild().getNodeValue()" without
checking the null pointer condition, which will happen when the above
empty <style> tag is given as input.

I made the following code change, and it works fine:

Node firstChild = node.getFirstChild();
if (firstChild != null) {
  try {
    CleanResults cr =
styleScanner.scanStyleSheet(firstChild.getNodeValue(),
policy.getMaxInputSize());
    errorMessages.addAll(cr.getErrorMessages());
    ...

Please verify and fix the code in the next release.

Thanks.

Gang Zheng
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20081125/e4b23891/attachment.html 


More information about the Owasp-antisamy mailing list