[Owasp-antisamy] What does ShorthandList mean in the config files?

• Previous message: [Owasp-antisamy] What does ShorthandList mean in the config files?
• Next message: [Owasp-antisamy] What does ShorthandList mean in the config files?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason,

Thanks for the explanation - I mostly understand. It would have made 
more sense to me if there was a "datatype" named margin-width, and then 
have "margin", "margin-left", "margin-top", "margin-right", and 
"margin-bottom" defined in terms of that datatype. For "margin", I was 
expecting a definition that expresses the fact that the "margin" 
property can have 1 through 4 values.

I figured it was a bug -- but maybe it's by design -- that properties 
are allowed to have multiple values. Hence, the following are considered 
valid:
<body><div style="margin: 1em 2em 3em 4em 5em 6em 7em;">hello</div></body>
<body><div style="margin-left: 1em 2em; margin-top: inherit 
auto;">hello</div></body>
<body><div style="background-color: red white blue;">hello</div></body>

Given that the intent is to filter out evil constructs rather than to 
perform full CSS validation, this probably doesn't really hurt anything.

Thanks again,
--Dan

Jason Li wrote on 12/23/2009 9:08 PM:
> Dan,
>
> You're on the right track with regards to how the shorthand list
> works. The point of the shorthand list is essentially to refer to
> other property "data types" that can make up the current property.
>
> In the case of a property like background, it's made up of
> background-color, background-image, background-repeat,
> background-attachment and background-position "data types"
>
> In the case of the 'margin' property, it's made up of a margin width
> "data type", which is a positive length or a positive percentage.
> These margin widths happen to *represent* the top, right, bottom and
> left margins respectively.  But the "data type" for margin-top,
> margin-right, margin-bottom and margin-left is a margin width. The
> margin width is precisely the "data type"  that is defined in the
> margin property.
>
> So the shorthand list is not the semantic meaning of the property,
> it's what data types are valid for the property. It's a subtle
> distinction so I can see how you got confused.
>
> Another good example of nested properties like this is the border
> property. The border property consists of a border color, style and
> width and happens to specify the all four borders. As a result, list
> of valid values for a border property are any color (by regexp),
> border-style datatype (by shorthand), and border-width datatype (by
> shorthand). The same is true for border-top, border-left,
> border-bottom and border-right.
>
> These relationships are taken from the CSS specification and this
> table from that spec might help visualize it better:
> http://www.w3.org/TR/CSS21/propidx.html
>
> Hopefully that clears things up - if not, feel free to ask more
> questions to the list.
>
> -Jason
>
> On Wed, Dec 23, 2009 at 3:00 PM, Dan Rabe <dan.rabe at oracle.com> wrote:
>   
>> Could someone please give me a brief explanation of how shorthand-list works
>> in the xml config files?
>>
>> I see one usage that makes sense to me: background. You can use background
>> as a shorthand for setting several other background- properties:
>>
>> <property name="background" description="The 'background' property is a
>> shorthand property for setting the individual background properties (i.e.,
>> 'background-color', 'background-image', 'background-repeat',
>> 'background-attachment' and 'background-position') at the same place in the
>> style sheet.">
>>     <literal-list>
>>         <literal value="inherit"/>
>>     </literal-list>
>>     <shorthand-list>
>>         <shorthand name="background-color"/>
>>         <shorthand name="background-image"/>
>>         <shorthand name="background-repeat"/>
>>         <shorthand name="background-attachment"/>
>>         <shorthand name="background-position"/>
>>
>>     </shorthand-list>
>> </property>
>>
>> However, there are some other usages that don't make sense. For example,
>> margin can be used as a shorthand for setting margin-top, margin-right,
>> margin-bottom, and margin-left. But what I see in antisamy.xml is this:
>> <property name="margin" description="">
>>     <category-list>
>>         <category value="visual"/>
>>     </category-list>
>>     <literal-list>
>>         <literal value="inherit"/>
>>         <literal value="auto"/>
>>     </literal-list>
>>     <regexp-list>
>>         <regexp name="positiveLength"/>
>>         <regexp name="positivePercentage"/>
>>     </regexp-list>
>> </property>
>> <property name="margin-top" default="0" description="">
>>     <category-list>
>>         <category value="visual"/>
>>     </category-list>
>>     <literal-list>
>>         <literal value="inherit"/>
>>     </literal-list>
>>     <shorthand-list>
>>         <shorthand name="margin"/>
>>     </shorthand-list>
>> </property>
>>
>> This seems backwards to me. Shouldn't margin contain a shorthand-list for
>> margin-top, margin-right, margin-bottom, margin-left?
>>
>> BTW, I'm looking at antisamy.xsd from the trunk, SVN revision 137.
>>
>> Thanks,
>> --Dan
>>
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>>     

• Previous message: [Owasp-antisamy] What does ShorthandList mean in the config files?
• Next message: [Owasp-antisamy] What does ShorthandList mean in the config files?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]