[Owasp-antisamy] inline style problem

Jason Li jason.li at owasp.org
Sun Mar 22 23:27:15 EDT 2009


Andrew,

The reason why your policy file isn't working for you is because there
are no CSS rules in your policy file. AntiSamy has special behavior
that validates CSS between <style> tags or in the style attribute of
any valid HTML tag.

You've included the style attribute as an allowed attribute, but none
of the associated CSS style rules so when AntiSamy performs
validation, it will return an empty style as nothing has been allowed
by your policy file.

The reason why it "works" when you change the name to "astyle" is
because AntiSamy only applies CSS validation to legal style
declarations (namely those between the the <style> tags or in a style
attribute). Therefore, AntiSamy only performs normal validation on the
attribute, but this doesn't provide any protection against malicious
CSS.

AntiSamy is a HTML/CSS validation tool, and while the code works
wonderfully, the real power and beauty is in the default policy file.
We've already done the work of figuring out safe vs. malicious HTML
and CSS for you! If you'd like to create a bare-bones policy file that
validates CSS, I would suggest taking the default policy and trimming
the attributes and values that you don't want.

Hope that helps!

--
-Jason Li-
-jason.li at owasp.org-



On Sat, Mar 21, 2009 at 11:03 PM, Andrew Grosset <ag5743 at telus.net> wrote:
> Jason,
>
> I've created a "bare-bones" xml policy file using the attribute style and it
> strips out the style ie style=''.
> I then changed the attributes to "astyle" (from "style") in my xml file and
> my span to "astyle" and it works!
>
> <span style='padding: 5px;'>testing</span>
>
> Andrew.
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!--
> W3C rules retrieved from:
> http://www.w3.org/TR/html401/struct/global.html
> -->
>  <anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:noNamespaceSchemaLocation="antisamy.xsd">
>
>     <directives>
>         <directive name="omitXmlDeclaration" value="true"/>
>         <directive name="omitDoctypeDeclaration" value="true"/>
>         <directive name="maxInputSize" value="10000"/>
>         <directive name="useXHTML" value="true"/>
>         <directive name="formatOutput" value="true"/>
>         <directive name="embedStyleSheets" value="false"/>
>     </directives>
>
>
>     <common-regexps>
>
>         <!--
>         From W3C:
>         This attribute assigns a class name or set of class names to an
>         element. Any number of elements may be assigned the same class
>         name or names. Multiple class names must be separated by white
>         space characters.
>         -->
>
>         <regexp name="letternumber" value="[A-Za-z0-9\s_:;#\$-]+"/>
>
>
>     </common-regexps>
>
>
>     <common-attributes>
>
>
>         <attribute name="style">
>              <regexp-list>
>                 <regexp name="letternumber"/>
>             </regexp-list>
>         </attribute>
>
>         <attribute name="lang" description="The 'lang' attribute tells the
> browser what language the element's attribute values and content are written
> in">
>              <regexp-list>
>                  <regexp value="[a-zA-Z]{2,20}"/>
>              </regexp-list>
>          </attribute>
>
>          <attribute name="title" description="The 'title' attribute provides
> text that shows up in a 'tooltip' when a user hovers their mouse over the
> element">
>              <regexp-list>
>                  <regexp name="letternumber"/>
>              </regexp-list>
>          </attribute>
>
>     </common-attributes>
>
>     <global-tag-attributes>
>         <attribute name="title"/>
>         <attribute name="lang"/>
>     </global-tag-attributes>
>
>     <tag-rules>
>
>         <tag name="span" action="validate">
>            <attribute name="style"/>
>         </tag>
>
>         <tag name="div" action="validate">
>            <attribute name="style"/>
>         </tag>
>
>     </tag-rules>
>
>
>     <css-rules>
>
>
>     </css-rules>
>
> </anti-samy-rules>
>
>
> Jason Li wrote:
>
> Andrew,
>
> I can't reproduce the effect you're having with the style attribute being
> eliminated.
>
> Which policy file are you using? Not every policy allows CSS. Let me know
> some more details, such as which policy file you're using and what changes
> you have made) and I will try to help out.
>
> Using the default policy file, I am able to do:
> <div style="color: #000000"></div>
>
> though this is converted to:
> <div style="color: rgb(0,0,0);"/> by CSS/HTML canonicalization.
>
> Note that three digit hexidecimal specification of color values wasn't in
> the last release of AntiSamy. The change has been made to support this in
> the next release (or you can download the most recent Antisamy policy file
> here:
> http://owaspantisamy.googlecode.com/svn/trunk/Java/current/resources/antisamy.xml)
>
> --
> -Jason Li-
> -jason.li at owasp.org-
>
>
> On Sat, Mar 14, 2009 at 6:36 PM, Andrew Grosset <ag5743 at telus.net> wrote:
>>
>> the regular expression with style has no effect - I tested it with just
>> letters and a colon [A-Za-z:]+
>> everything is stripped out with no error message unless a colon is used ie
>> style='abc:abc' will produce an error message: The <b>div</b> tag had a
>> style attribute, <b>"abc"</b>, that could not be allowed for security
>> reasons
>> style='123:123' is stripped out with no error
>> style='abc:a' produces an error
>> style='abc:' is stripped out with no error
>>
>> by renaming all inline styles from "style" to "mystyle" (or any other
>> name) and changing the xml to match I can make it work with the regular
>> expression I want.
>>
>> this works using <regexp name="letternumber" value="[A-Za-z0-9_:#\$-]+"/>:
>>
>> <div mystyle='font:##000'>andrew</div>
>>
>> and this correctly errors out:<div mystyle='font:##000*'>andrew</div>
>>
>> incidentally in the antisamy-myspace-1.2.xml there is a note in the
>> common-attributes for style where it says:
>> "the "style" attribute will be validated by an inline stylesheet scanner,
>> so no need to define anything here - i hate having to special case this but
>> no other choice"
>> - maybe myspace had a problem too?
>>
>> Andrew.
>>
>>
>>
>> Jason Li wrote:
>>
>> What regular expression are you using and where are you putting it?
>>
>> There are two regular expressions in the default Antisamy policy and
>> neither of them permit #000 by default.
>>
>> The first is colorNameOrCode and the second is cssColor. For stylesheets,
>> the one you want to change is cssColor.
>>
>> Having two regular expressions like this is kind of confusing though -
>> we'll look into improving that.
>>
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>>
>>
>> On Sat, Mar 14, 2009 at 2:50 PM, Andrew Grosset <ag5743 at telus.net> wrote:
>>>
>>> Hi,
>>>
>>> when trying to parse an inline style such as <div
>>> style='color:#000'></div> it returns false
>>> showing ":"(colon)  is not allowed even though my regular expression
>>> allows it. To get round the problem
>>> I change all "style" to "astyle" (any other word will do) and change the
>>> xml file as well ("style" changed to "astyle").
>>> I am using Railo (coldfusion).
>>>
>>> anyone else had a problem with inline style, is this a bug, although my
>>> hack of changing "style" to something else works
>>> it seems to indicate a fundamental problem somewhere?
>>>
>>> Andrew.
>>> _______________________________________________
>>> Owasp-antisamy mailing list
>>> Owasp-antisamy at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>
>
>


More information about the Owasp-antisamy mailing list