[Owasp-antisamy] font-family list values

Jason Li li.jason.c at gmail.com
Mon Oct 27 13:43:03 EDT 2008


Chase,

This looks like a bug in parsing the font-family property, not in the
regular expression for the font family. I'll look into the issue, but
unless you need more permissive policy, I would stick with the default
antisamy policy instead of the anythinggoes policy.

The issue can be tracked here:
http://code.google.com/p/owaspantisamy/issues/detail?id=28

--
-Jason Li-
-li.jason.c at gmail.com-



On Mon, Oct 27, 2008 at 12:37 PM, Chase Seibert
<chase.seibert+antisamy at gmail.com> wrote:
> Using the antisamy-anythinggoes-1.2.xml policy file on the following HTML
> snippet:
>
> <DIV style="font-family: Geneva, Arial, Sans-serif">Text</DIV>
>
> getCleanHTML() produces:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
> "http://www.w3.org/TR/WD-html-in-xml/DTD/xhtml1-strict.dtd">
> <div style>Text</div>
>
> Can the policy file be configured to preserve the font family? I want to
> allow any values in this case. I have tried:
>
> <property name="font-family">
>             <regexp-list>
>                 <regexp name="anything"/>
>             </regexp-list>
> </property>
>
> But that still strips the value.
>
>   - Chase
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>


More information about the Owasp-antisamy mailing list