[Owasp-antisamy] What does ShorthandList mean in the config files?

Jason Li jason.li at owasp.org
Fri Dec 25 00:58:39 EST 2009


Yes, you're right about the case of the margin property (which
likewise applies to any other property) accepting extra values.

It was a design decision not to construct a full HTML/CSS compliance
validator but rather validate that any supplied rich content contained
only safe tags/attributes/properties/etc.

It would have added additional complexity to the policy file which is
already fairly hefty. In retrospect though, it would have been better
to characterize data types like that separately.

Hindsight is 20/20 as they say!

-Jason

On Thu, Dec 24, 2009 at 12:17 PM, Dan Rabe <dan.rabe at oracle.com> wrote:
> Jason,
>
> Thanks for the explanation - I mostly understand. It would have made more
> sense to me if there was a "datatype" named margin-width, and then have
> "margin", "margin-left", "margin-top", "margin-right", and "margin-bottom"
> defined in terms of that datatype. For "margin", I was expecting a
> definition that expresses the fact that the "margin" property can have 1
> through 4 values.
>
> I figured it was a bug -- but maybe it's by design -- that properties are
> allowed to have multiple values. Hence, the following are considered valid:
> <body><div style="margin: 1em 2em 3em 4em 5em 6em 7em;">hello</div></body>
> <body><div style="margin-left: 1em 2em; margin-top: inherit
> auto;">hello</div></body>
> <body><div style="background-color: red white blue;">hello</div></body>
>
> Given that the intent is to filter out evil constructs rather than to
> perform full CSS validation, this probably doesn't really hurt anything.
>
> Thanks again,
> --Dan
>
> Jason Li wrote on 12/23/2009 9:08 PM:
>>
>> Dan,
>>
>> You're on the right track with regards to how the shorthand list
>> works. The point of the shorthand list is essentially to refer to
>> other property "data types" that can make up the current property.
>>
>> In the case of a property like background, it's made up of
>> background-color, background-image, background-repeat,
>> background-attachment and background-position "data types"
>>
>> In the case of the 'margin' property, it's made up of a margin width
>> "data type", which is a positive length or a positive percentage.
>> These margin widths happen to *represent* the top, right, bottom and
>> left margins respectively.  But the "data type" for margin-top,
>> margin-right, margin-bottom and margin-left is a margin width. The
>> margin width is precisely the "data type"  that is defined in the
>> margin property.
>>
>> So the shorthand list is not the semantic meaning of the property,
>> it's what data types are valid for the property. It's a subtle
>> distinction so I can see how you got confused.
>>
>> Another good example of nested properties like this is the border
>> property. The border property consists of a border color, style and
>> width and happens to specify the all four borders. As a result, list
>> of valid values for a border property are any color (by regexp),
>> border-style datatype (by shorthand), and border-width datatype (by
>> shorthand). The same is true for border-top, border-left,
>> border-bottom and border-right.
>>
>> These relationships are taken from the CSS specification and this
>> table from that spec might help visualize it better:
>> http://www.w3.org/TR/CSS21/propidx.html
>>
>> Hopefully that clears things up - if not, feel free to ask more
>> questions to the list.
>>
>> -Jason
>>
>> On Wed, Dec 23, 2009 at 3:00 PM, Dan Rabe <dan.rabe at oracle.com> wrote:
>>
>>>
>>> Could someone please give me a brief explanation of how shorthand-list
>>> works
>>> in the xml config files?
>>>
>>> I see one usage that makes sense to me: background. You can use
>>> background
>>> as a shorthand for setting several other background- properties:
>>>
>>> <property name="background" description="The 'background' property is a
>>> shorthand property for setting the individual background properties
>>> (i.e.,
>>> 'background-color', 'background-image', 'background-repeat',
>>> 'background-attachment' and 'background-position') at the same place in
>>> the
>>> style sheet.">
>>>    <literal-list>
>>>        <literal value="inherit"/>
>>>    </literal-list>
>>>    <shorthand-list>
>>>        <shorthand name="background-color"/>
>>>        <shorthand name="background-image"/>
>>>        <shorthand name="background-repeat"/>
>>>        <shorthand name="background-attachment"/>
>>>        <shorthand name="background-position"/>
>>>
>>>    </shorthand-list>
>>> </property>
>>>
>>> However, there are some other usages that don't make sense. For example,
>>> margin can be used as a shorthand for setting margin-top, margin-right,
>>> margin-bottom, and margin-left. But what I see in antisamy.xml is this:
>>> <property name="margin" description="">
>>>    <category-list>
>>>        <category value="visual"/>
>>>    </category-list>
>>>    <literal-list>
>>>        <literal value="inherit"/>
>>>        <literal value="auto"/>
>>>    </literal-list>
>>>    <regexp-list>
>>>        <regexp name="positiveLength"/>
>>>        <regexp name="positivePercentage"/>
>>>    </regexp-list>
>>> </property>
>>> <property name="margin-top" default="0" description="">
>>>    <category-list>
>>>        <category value="visual"/>
>>>    </category-list>
>>>    <literal-list>
>>>        <literal value="inherit"/>
>>>    </literal-list>
>>>    <shorthand-list>
>>>        <shorthand name="margin"/>
>>>    </shorthand-list>
>>> </property>
>>>
>>> This seems backwards to me. Shouldn't margin contain a shorthand-list for
>>> margin-top, margin-right, margin-bottom, margin-left?
>>>
>>> BTW, I'm looking at antisamy.xsd from the trunk, SVN revision 137.
>>>
>>> Thanks,
>>> --Dan
>>>
>>>
>>> _______________________________________________
>>> Owasp-antisamy mailing list
>>> Owasp-antisamy at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>
>>>
>>>
>


More information about the Owasp-antisamy mailing list