[Owasp-antisamy] inline style problem

Jason Li jason.li at owasp.org
Tue Mar 17 12:11:32 EDT 2009


Andrew,

I can't reproduce the effect you're having with the style attribute being
eliminated.

Which policy file are you using? Not every policy allows CSS. Let me know
some more details, such as which policy file you're using and what changes
you have made) and I will try to help out.

Using the default policy file, I am able to do:
<div style="color: #000000"></div>

though this is converted to:
<div style="color: rgb(0,0,0);"/> by CSS/HTML canonicalization.

Note that three digit hexidecimal specification of color values wasn't in
the last release of AntiSamy. The change has been made to support this in
the next release (or you can download the most recent Antisamy policy file
here:
http://owaspantisamy.googlecode.com/svn/trunk/Java/current/resources/antisamy.xml
)

--
-Jason Li-
-jason.li at owasp.org-


On Sat, Mar 14, 2009 at 6:36 PM, Andrew Grosset <ag5743 at telus.net> wrote:

>  the regular expression with style has no effect - I tested it with just
> letters and a colon [A-Za-z:]+
> everything is stripped out with no error message unless a colon is used ie
> style='abc:abc' will produce an error message: The <b>div</b> tag had a
> style attribute, <b>"abc"</b>, that could not be allowed for security
> reasons
> style='123:123' is stripped out with no error
> style='abc:a' produces an error
> style='abc:' is stripped out with no error
>
> by renaming all inline styles from "style" to "mystyle" (or any other name)
> and changing the xml to match I can make it work with the regular expression
> I want.
>
> this works using <regexp name="letternumber" value="[A-Za-z0-9_:#\$-]+"/>:
>
> <div mystyle='font:##000'>andrew</div>
>
> and this correctly errors out:<div mystyle='font:##000*'>andrew</div>
>
> incidentally in the antisamy-myspace-1.2.xml there is a note in the
> common-attributes for style where it says:
> "the "style" attribute will be validated by an inline stylesheet scanner,
> so no need to define anything here - i hate having to special case this but
> no other choice"
> - maybe myspace had a problem too?
>
> Andrew.
>
>
>
>
> Jason Li wrote:
>
> What regular expression are you using and where are you putting it?
>
> There are two regular expressions in the default Antisamy policy and
> neither of them permit #000 by default.
>
> The first is colorNameOrCode and the second is cssColor. For stylesheets,
> the one you want to change is cssColor.
>
> Having two regular expressions like this is kind of confusing though -
> we'll look into improving that.
>
> --
> -Jason Li-
> -jason.li at owasp.org-
>
>
> On Sat, Mar 14, 2009 at 2:50 PM, Andrew Grosset <ag5743 at telus.net> wrote:
>
>> Hi,
>>
>> when trying to parse an inline style such as <div
>> style='color:#000'></div> it returns false
>> showing ":"(colon)  is not allowed even though my regular expression
>> allows it. To get round the problem
>> I change all "style" to "astyle" (any other word will do) and change the
>> xml file as well ("style" changed to "astyle").
>> I am using Railo (coldfusion).
>>
>> anyone else had a problem with inline style, is this a bug, although my
>> hack of changing "style" to something else works
>> it seems to indicate a fundamental problem somewhere?
>>
>> Andrew.
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090317/a4f35d44/attachment.html 


More information about the Owasp-antisamy mailing list