[Owasp-antisamy] font-family list values

Jason Li li.jason.c at gmail.com
Mon Oct 27 13:43:03 EDT 2008


This looks like a bug in parsing the font-family property, not in the
regular expression for the font family. I'll look into the issue, but
unless you need more permissive policy, I would stick with the default
antisamy policy instead of the anythinggoes policy.

The issue can be tracked here:

-Jason Li-
-li.jason.c at gmail.com-

On Mon, Oct 27, 2008 at 12:37 PM, Chase Seibert
<chase.seibert+antisamy at gmail.com> wrote:
> Using the antisamy-anythinggoes-1.2.xml policy file on the following HTML
> snippet:
> <DIV style="font-family: Geneva, Arial, Sans-serif">Text</DIV>
> getCleanHTML() produces:
> "http://www.w3.org/TR/WD-html-in-xml/DTD/xhtml1-strict.dtd">
> <div style>Text</div>
> Can the policy file be configured to preserve the font family? I want to
> allow any values in this case. I have tried:
> <property name="font-family">
>             <regexp-list>
>                 <regexp name="anything"/>
>             </regexp-list>
> </property>
> But that still strips the value.
>   - Chase
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

More information about the Owasp-antisamy mailing list