[Owasp-antisamy] font-family list values

Chase Seibert chase.seibert+antisamy at gmail.com
Mon Oct 27 12:37:48 EDT 2008


Using the antisamy-anythinggoes-1.2.xml policy file on the following HTML
snippet:

<DIV style="font-family: Geneva, Arial, Sans-serif">Text</DIV>

getCleanHTML() produces:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "
http://www.w3.org/TR/WD-html-in-xml/DTD/xhtml1-strict.dtd">
<div style>Text</div>

Can the policy file be configured to preserve the font family? I want to
allow any values in this case. I have tried:

<property name="font-family">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
</property>

But that still strips the value.

  - Chase
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20081027/1c3b52aa/attachment.html 


More information about the Owasp-antisamy mailing list