[Owasp-antisamy] inline style problem

Andrew Grosset ag5743 at telus.net
Sat Mar 21 23:03:41 EDT 2009


I've created a "bare-bones" xml policy file using the attribute style 
and it strips out the style ie style=''.
I then changed the attributes to "astyle" (from "style") in my xml file 
and my span to "astyle" and it works!

<span style='padding: 5px;'>testing</span>


<?xml version="1.0" encoding="ISO-8859-1"?>
W3C rules retrieved from:
 <anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        <directive name="omitXmlDeclaration" value="true"/>
        <directive name="omitDoctypeDeclaration" value="true"/>
        <directive name="maxInputSize" value="10000"/>
        <directive name="useXHTML" value="true"/>
        <directive name="formatOutput" value="true"/>
        <directive name="embedStyleSheets" value="false"/>
        From W3C:
        This attribute assigns a class name or set of class names to an
        element. Any number of elements may be assigned the same class
        name or names. Multiple class names must be separated by white
        space characters.
        <regexp name="letternumber" value="[A-Za-z0-9\s_:;#\$-]+"/>
        <attribute name="style">
                <regexp name="letternumber"/>
        <attribute name="lang" description="The 'lang' attribute tells 
the browser what language the element's attribute values and content are 
written in">
                 <regexp value="[a-zA-Z]{2,20}"/>
         <attribute name="title" description="The 'title' attribute 
provides text that shows up in a 'tooltip' when a user hovers their 
mouse over the element">
                 <regexp name="letternumber"/>
        <attribute name="title"/>
        <attribute name="lang"/>
        <tag name="span" action="validate">
           <attribute name="style"/>
        <tag name="div" action="validate">
           <attribute name="style"/>



Jason Li wrote:

> Andrew,
> I can't reproduce the effect you're having with the style attribute 
> being eliminated.
> Which policy file are you using? Not every policy allows CSS. Let me 
> know some more details, such as which policy file you're using and 
> what changes you have made) and I will try to help out.
> Using the default policy file, I am able to do:
> <div style="color: #000000"></div>
> though this is converted to:
> <div style="color: rgb(0,0,0);"/> by CSS/HTML canonicalization.
> Note that three digit hexidecimal specification of color values wasn't 
> in the last release of AntiSamy. The change has been made to support 
> this in the next release (or you can download the most recent Antisamy 
> policy file here: 
> http://owaspantisamy.googlecode.com/svn/trunk/Java/current/resources/antisamy.xml)
> --
> -Jason Li-
> -jason.li <http://jason.li>@owasp.org-
> On Sat, Mar 14, 2009 at 6:36 PM, Andrew Grosset <ag5743 at telus.net 
> <mailto:ag5743 at telus.net>> wrote:
>     the regular expression with style has no effect - I tested it with
>     just letters and a colon [A-Za-z:]+
>     everything is stripped out with no error message unless a colon is
>     used ie style='abc:abc' will produce an error message: The
>     <b>div</b> tag had a style attribute, <b>"abc"</b>, that could not
>     be allowed for security reasons
>     style='123:123' is stripped out with no error
>     style='abc:a' produces an error
>     style='abc:' is stripped out with no error
>     by renaming all inline styles from "style" to "mystyle" (or any
>     other name) and changing the xml to match I can make it work with
>     the regular expression I want.
>     this works using <regexp name="letternumber"
>     value="[A-Za-z0-9_:#\$-]+"/>:
>     <div mystyle='font:##000'>andrew</div>
>     and this correctly errors out:<div mystyle='font:##000*'>andrew</div>
>     incidentally in the antisamy-myspace-1.2.xml there is a note in
>     the common-attributes for style where it says:
>     "the "style" attribute will be validated by an inline stylesheet
>     scanner, so no need to define anything here - i hate having to
>     special case this but no other choice"
>     - maybe myspace had a problem too?
>     Andrew.
>     Jason Li wrote:
>>     What regular expression are you using and where are you putting it?
>>     There are two regular expressions in the default Antisamy policy
>>     and neither of them permit #000 by default.
>>     The first is colorNameOrCode and the second is cssColor. For
>>     stylesheets, the one you want to change is cssColor.
>>     Having two regular expressions like this is kind of confusing
>>     though - we'll look into improving that.
>>     --
>>     -Jason Li-
>>     -jason.li <http://jason.li>@owasp.org-
>>     On Sat, Mar 14, 2009 at 2:50 PM, Andrew Grosset <ag5743 at telus.net
>>     <mailto:ag5743 at telus.net>> wrote:
>>         Hi,
>>         when trying to parse an inline style such as <div
>>         style='color:#000'></div> it returns false
>>         showing ":"(colon)  is not allowed even though my regular
>>         expression
>>         allows it. To get round the problem
>>         I change all "style" to "astyle" (any other word will do) and
>>         change the
>>         xml file as well ("style" changed to "astyle").
>>         I am using Railo (coldfusion).
>>         anyone else had a problem with inline style, is this a bug,
>>         although my
>>         hack of changing "style" to something else works
>>         it seems to indicate a fundamental problem somewhere?
>>         Andrew.
>>         _______________________________________________
>>         Owasp-antisamy mailing list
>>         Owasp-antisamy at lists.owasp.org
>>         <mailto:Owasp-antisamy at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-antisamy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090321/f12dc565/attachment.html 

More information about the Owasp-antisamy mailing list