[Owasp-antisamy] Fwd: HEX code to RGB

Jason Li jason.li at owasp.org
Sat Apr 18 02:35:27 EDT 2009


Thanks for forwarding my message Arshan.

Raphael,

As I said in that email, there is no way to avoid the color
canonicalization in AntiSamy at the moment. It's basically the same
effect as the canonicalization of apostrophes to quotes for tag
attributes.

I will however retract my previous statement about requiring a lot of
effort to change. I did some thinking on my commute home today and I
realized there's actually a very simple solution.

Providing the ability to keep the original formatting with CSS (and I
suspect HTML as well) would be a significant undertaking that I'm not
even sure is possible. However, instead of trying to retain the
original formatting, what I can instead provide is a way to
canonicalize both to rgb code or hex code format and introduce a new
directive allowing users to specify which method they would prefer to
be used in canonicalization.

My only concern is that we've been introducing a lot of extra
"directives" in the policy file so I believe we're starting to see the
"second-system effect" on AntiSamy. I'll have a discussion with Arshan
about it, but you can probably expect to see the new functionality in
the next release.

I've opened an issue for it in Google Code but I've left the status as
New pending my discussion with Arshan. You can track the issue here:
http://code.google.com/p/owaspantisamy/issues/detail?id=42

--
-Jason Li-
-jason.li at owasp.org-



On Fri, Apr 17, 2009 at 6:06 PM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
>
>
>
>
> Begin forwarded message:
>
> From: Jason Li <jli at owasp.org>
> Date: April 17, 2009 12:04:20 PM EDT
> To: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
> Subject: Fwd: [Owasp-antisamy] HEX code to RGB
>
> Arshan,
> My response from my iPhone got bounced. Can you send the reply below to the
> list?
> -Jason
>
>
> Begin forwarded message:
>
> From: Jason Li <jason.li at owasp.org>
> Date: April 17, 2009 11:59:50 AM EDT
> To: "Raphael L. Moita" <raphael.moita at gmail.com>
> Cc: AntiSamy <owasp-antisamy at lists.owasp.org>
> Subject: Re: [Owasp-antisamy] HEX code to RGB
>
> The CSS serializer currently canonicalizes color codes to the RGB values.
> There is currently no way to avoid this behavior.
> This behavior is no different than AntiSamy's conversion of attributes from
> apostrophes to quotes. That is, AntiSamy converts:
> <div id='myid'>stuff</div>
> Into:
> <div id="myid">stuff</div>
> Both of these canonicalizations should be visually equivalent.
> It would take quite a bit of effort to support complete pass through without
> canonicalization and I'm not convinced it's worth the effort.
> If you can make a case for it though, we're open to listening.
> -Jason
>
> On Apr 17, 2009, at 11:34 AM, "Raphael L. Moita" <raphael.moita at gmail.com>
> wrote:
>
> Hi All,
>
> Does someone know why AntiSamy changes values Hex to RGB like this below and
> how can I avoid that?
>
> <font style="BACKGROUND-COLOR: #ffff00"> to <font style="BACKGROUND-COLOR:
> rgb(255,255,0)">
>
> Thanks in advance
>
> --
> Raphael Moita
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>


More information about the Owasp-antisamy mailing list