[Owasp-antisamy] HTML & CSS Formatting Issues

Jason Li jason.li at owasp.org
Fri May 8 15:26:42 EDT 2009


Currently, output goes through a canonicalization/serialization process.

The use of decimals, rgb, CDATA, or fully qualified selectors
shouldn't have an adverse effect on the display. Functionally, the CSS
output that you identified should be visually equivalent as they are
all legal HTML/CSS syntax.

There have been multiple requests in the past to make the format of
attributes look like XYZ and unfortunately, it's difficult to provide
the flexibility to canonicalize and serialize the output in a way that
everyone is happy.

We'd be interested to hear if any of these equivalents don't match up
visually. But barring that, it would take some effort and as a result,
some persuasion for us to implement some kind of framework to support
various different styles of canonicalization.

The hex code vs. RGB color is the most frequently mentioned
canonicalization that is up for possible inclusion in a future
release:
http://code.google.com/p/owaspantisamy/issues/detail?id=42

Do you see a need for any of these other attributes to be
canonicalized one way versus another?
--
-Jason Li-
-jason.li at owasp.org-



On Fri, May 8, 2009 at 2:54 PM, Luke Bunselmeyer <LBunselmeyer at ezrez.com> wrote:
> Hello,
>
>
>
> I'm trying out AntiSamy.  So far the tool is very promising.  I was testing
> the ebay policy, and I noticed some issues with the cleaned HTML and CSS.
> See the details below.   Are there any configurations to control this
> output?
>
>
>
> Thanks in advance,
>
> Luke
>
>
>
> Policy: antisamy-ebay-1.3.xml
>
>
>
> == HTML Issues ==
>
> * Styling: Pixel witdths are formated with decimal precision.  IS: 1.0px,
> Should Be: 1px;
>
> * Whitespace: Original line breaks are stripped.
>
>
>
> == Dirty HTML ==
>
> <div style="border: 1px solid red;background-color:pink;padding: 5px;"
> onclick="alert('EzWhat?  EzRez!');">
>
>   <h3>Title</h3>
>
>
>
>   <p>Here is some super fun user content! Yeah!</p>
>
>
>
>   <a href="#" onclick="alert('Look an alert!')">Click Me!</a>
>
> </div>
>
>
>
> == Cleaned HTML ==
>
> <div style="border: 1.0px solid red;padding: 5.0px;">
>
>   <h3>Title</h3>
>
>   <p>Here is some super fun user content! Yeah!</p>
>
>   <a href="#">Click Me!</a></div>
>
>
>
> == CSS Issues ==
>
> * <![CDATA ]]> tag inserted into style tag.
>
> * Pixel witdths are formated with decimal precision.  IS: 1.0px, Should Be:
> 1px;
>
> * Class selectors formated with * prefix.  Is: *.blue {}, Should Be: .blue
> {}
>
> * Hex colors are formatted with rgb method. Is: rgb(255,255,255), Should Be:
> #ffffff
>
> * Comments are stripped
>
>
>
> == Dirty CSS ==
>
> <style>
>
> BODY {
>
>   background-color: #ffffff;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 10px;
>
>   margin-bottom: 0;
>
>   margin-left: 0;
>
>   margin-right: 0;
>
>   margin-top: 0;
>
> }
>
>
>
> /*a {color:#017DDE; font-family: verdana, arial, tahoma; font-size: 10px;
> font-weight : bold;}*/
>
> p, ol, ul, li, i, td {
>
>   color: #000000;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 10px;
>
> }
>
>
>
> .blue {
>
>   color: #000000;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 11px;
>
> }
>
> </style>
>
>
>
> == Cleaned CSS ==
>
> <style><![CDATA[BODY {
>
>                 background-color: rgb(255,255,255);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 10.0px;
>
>                 margin-bottom: 0;
>
>                 margin-left: 0;
>
>                 margin-right: 0;
>
>                 margin-top: 0;
>
> }
>
> p, ol, ul, li, i, td {
>
>                 color: rgb(0,0,0);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 10.0px;
>
> }
>
>
>
> *.blue {
>
>                 color: rgb(0,0,0);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 11.0px;
>
> }
>
> ]]></style>
>
>
>
> __________________________________________________________
> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>
>
>
> This message may contain confidential information.  If you are not the
> intended recipient (or authorized to receive for the recipient) and received
> this message in error; any use, distribution or disclosure is strictly
> prohibited.  Please contact the sender by reply email and delete all copies
> of this message from your computer system.  The views and opinions expressed
> in this email are those of the sender and do not necessarily reflect the
> views or policies of EzRez Software, except when the sender expressly and
> with authority states them to be so.
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>


More information about the Owasp-antisamy mailing list