[Owasp-antisamy] inline style problem

Jason Li jason.li at owasp.org
Sat Mar 14 16:04:01 EDT 2009


What regular expression are you using and where are you putting it?

There are two regular expressions in the default Antisamy policy and neither
of them permit #000 by default.

The first is colorNameOrCode and the second is cssColor. For stylesheets,
the one you want to change is cssColor.

Having two regular expressions like this is kind of confusing though - we'll
look into improving that.

--
-Jason Li-
-jason.li at owasp.org-


On Sat, Mar 14, 2009 at 2:50 PM, Andrew Grosset <ag5743 at telus.net> wrote:

> Hi,
>
> when trying to parse an inline style such as <div
> style='color:#000'></div> it returns false
> showing ":"(colon)  is not allowed even though my regular expression
> allows it. To get round the problem
> I change all "style" to "astyle" (any other word will do) and change the
> xml file as well ("style" changed to "astyle").
> I am using Railo (coldfusion).
>
> anyone else had a problem with inline style, is this a bug, although my
> hack of changing "style" to something else works
> it seems to indicate a fundamental problem somewhere?
>
> Andrew.
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090314/c730be9f/attachment.html 


More information about the Owasp-antisamy mailing list