[Owasp-antisamy] reg Style antributes

yseshadri at worldbank.org yseshadri at worldbank.org
Thu Jul 23 03:06:29 EDT 2009



Hi:

This is regarding the style attribute values being stripped off in the valid
HTML content:

Here is my sample input:

<H4 style="MARGIN: 0cm -36pt 0pt 0cm; TEXT-ALIGN: justify; mso-list: skip"
mce_style="MARGIN: 0cm -36pt 0pt 0cm; TEXT-ALIGN: justify; mso-list: skip"><FONT
size=3><EM><FONT face="Times New Roman"><SPAN class=preparersnote><U><SPAN
style="mso-bidi-font-weight: bold" mce_style="mso-bidi-font-weight: bold">Sample
Testing - 1</SPAN></U></SPAN><SPAN class=preparersnote><SPAN
style="mso-bidi-font-weight: bold" mce_style="mso-bidi-font-weight: bold">
Sample Testing -2</SPAN></SPAN></FONT></EM></FONT></H4>

Here is my output:

<h4
  mce_style="MARGIN: 0cm -36pt 0pt 0cm; TEXT-ALIGN: justify; mso-list: skip"
style="TEXT-ALIGN: justify;">
  <font size="3">
    <em>
      <font face="Times New Roman">
        <span class="preparersnote">
          <u>
            <span mce_style="mso-bidi-font-weight: bold" style="">Sample
              Testing - 1</span></u></span>
        <span class="preparersnote">
          <span mce_style="mso-bidi-font-weight: bold" style=""> Sample
            Testing -2</span></span></font></em></font></h4>

We see the style attribute value is H4 tag is retained. However against SPAN
tag , the value is stripped.>

Also here is the exception message logged:
WARNING: SECURITY-FAILURE Anonymous at unknown:unknown -- Invalid HTML input:
context=safeHTML, errors=[The h4 tag had a style attribute, "MARGIN", that could
not be allowed for security reasons., The h4 tag had a style attribute,
"mso&#45;list", that could not be allowed for security reasons., The span tag
had a style attribute, "mso&#45;bidi&#45;font&#45;weight", that could not be
allowed for security reasons., The span tag had a style attribute,
"mso&#45;bidi&#45;font&#45;weight", that could not be allowed for security
reasons.]
    ValidationException @
org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)

Please find the antisamy.xml version I use for testing version attached
herewith.

Is there a way to define regular expression for allowing style attrbute values?

(See attached file: antisamy-esapi.zip)


Your inputs are highly appreciated.

Thanks,
Yamini S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: antisamy-esapi.zip
Type: application/zip
Size: 10762 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090723/0d3460f0/attachment.zip 


More information about the Owasp-antisamy mailing list