[Owasp-antisamy] HTML & CSS Formatting Issues

Luke Bunselmeyer LBunselmeyer at EZREZ.COM
Fri May 8 21:27:59 EDT 2009


Hi Jason,

Sorry for the number of emails.  In any case, I don't know if this was intended, but it seems that iframe, link, and script tags without child nodes are removed without an error message.  Specifically, these tags are not in the allowedEmptyTags array, so they are nuked.  This isn't a huge issue, but it would be nice to get an error message.  This also means that these tags will always be removed despite the policy setting.

No Error Message
<iframe src='http://www.hacker.com/fishing.html'></iframe>
<link rel="stylesheet" type="text/css" href="http://www.hacker.com/takeover.css"/>
<script src='http://www.hacker.com/takeover.js'></script>

Error Message
<iframe src='http://www.hacker.com/fishing.html'>&nbsp;</iframe>
<script src='http://www.hacker.com/takeover.js'>&nbsp;</script>

Thanks,
Luke

-----Original Message-----
From: Luke Bunselmeyer 
Sent: Friday, May 08, 2009 5:19 PM
To: 'Jason Li'
Cc: owasp-antisamy at lists.owasp.org
Subject: RE: [Owasp-antisamy] HTML & CSS Formatting Issues

Hi Jason,

Thanks for the quick reply. Although, the CSS output is functionally equivalent, it's like nails on a chalkboard to our web developers.  However, I can appreciate the canonicalization and serialization issues.

Rather than using the cleaned HTML, I am looking for ways to throw an exception on a validation failure (ie remove or truncate).  I was hoping that all validation failures would be logged to errorMessages, but this does not seem to be the case.  Specifically, the anchor tag below throws an exception but the iframe tag does not.  Is there another way to determine if AntiSamy removed or truncated any content?

	Exception from line 5
	<a href="javascript:alert('hacked!');">click me</a>

	No Exception
	<iframe src='http://www.google.com'></iframe>


1.	AntiSamy antiSamy = new AntiSamy();
2.	CleanResults cleanResults = antiSamy.scan(canonical, SLASHDOT_POLICY);
3.
4.	if(!cleanResults.getErrorMessages().isEmpty()) {
5.		throw getException(name);
6.	}


Thanks again,
Luke

________________________________________________________________
Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com

-----Original Message-----
From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of Jason Li
Sent: Friday, May 08, 2009 12:27 PM
To: Luke Bunselmeyer
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] HTML & CSS Formatting Issues

Currently, output goes through a canonicalization/serialization process.

The use of decimals, rgb, CDATA, or fully qualified selectors
shouldn't have an adverse effect on the display. Functionally, the CSS
output that you identified should be visually equivalent as they are
all legal HTML/CSS syntax.

There have been multiple requests in the past to make the format of
attributes look like XYZ and unfortunately, it's difficult to provide
the flexibility to canonicalize and serialize the output in a way that
everyone is happy.

We'd be interested to hear if any of these equivalents don't match up
visually. But barring that, it would take some effort and as a result,
some persuasion for us to implement some kind of framework to support
various different styles of canonicalization.

The hex code vs. RGB color is the most frequently mentioned
canonicalization that is up for possible inclusion in a future
release:
http://code.google.com/p/owaspantisamy/issues/detail?id=42

Do you see a need for any of these other attributes to be
canonicalized one way versus another?
--
-Jason Li-
-jason.li at owasp.org-



On Fri, May 8, 2009 at 2:54 PM, Luke Bunselmeyer <LBunselmeyer at ezrez.com> wrote:
> Hello,
>
>
>
> I'm trying out AntiSamy.  So far the tool is very promising.  I was testing
> the ebay policy, and I noticed some issues with the cleaned HTML and CSS.
> See the details below.   Are there any configurations to control this
> output?
>
>
>
> Thanks in advance,
>
> Luke
>
>
>
> Policy: antisamy-ebay-1.3.xml
>
>
>
> == HTML Issues ==
>
> * Styling: Pixel witdths are formated with decimal precision.  IS: 1.0px,
> Should Be: 1px;
>
> * Whitespace: Original line breaks are stripped.
>
>
>
> == Dirty HTML ==
>
> <div style="border: 1px solid red;background-color:pink;padding: 5px;"
> onclick="alert('EzWhat?  EzRez!');">
>
>   <h3>Title</h3>
>
>
>
>   <p>Here is some super fun user content! Yeah!</p>
>
>
>
>   <a href="#" onclick="alert('Look an alert!')">Click Me!</a>
>
> </div>
>
>
>
> == Cleaned HTML ==
>
> <div style="border: 1.0px solid red;padding: 5.0px;">
>
>   <h3>Title</h3>
>
>   <p>Here is some super fun user content! Yeah!</p>
>
>   <a href="#">Click Me!</a></div>
>
>
>
> == CSS Issues ==
>
> * <![CDATA ]]> tag inserted into style tag.
>
> * Pixel witdths are formated with decimal precision.  IS: 1.0px, Should Be:
> 1px;
>
> * Class selectors formated with * prefix.  Is: *.blue {}, Should Be: .blue
> {}
>
> * Hex colors are formatted with rgb method. Is: rgb(255,255,255), Should Be:
> #ffffff
>
> * Comments are stripped
>
>
>
> == Dirty CSS ==
>
> <style>
>
> BODY {
>
>   background-color: #ffffff;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 10px;
>
>   margin-bottom: 0;
>
>   margin-left: 0;
>
>   margin-right: 0;
>
>   margin-top: 0;
>
> }
>
>
>
> /*a {color:#017DDE; font-family: verdana, arial, tahoma; font-size: 10px;
> font-weight : bold;}*/
>
> p, ol, ul, li, i, td {
>
>   color: #000000;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 10px;
>
> }
>
>
>
> .blue {
>
>   color: #000000;
>
>   font-family: verdana, arial, tahoma;
>
>   font-size: 11px;
>
> }
>
> </style>
>
>
>
> == Cleaned CSS ==
>
> <style><![CDATA[BODY {
>
>                 background-color: rgb(255,255,255);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 10.0px;
>
>                 margin-bottom: 0;
>
>                 margin-left: 0;
>
>                 margin-right: 0;
>
>                 margin-top: 0;
>
> }
>
> p, ol, ul, li, i, td {
>
>                 color: rgb(0,0,0);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 10.0px;
>
> }
>
>
>
> *.blue {
>
>                 color: rgb(0,0,0);
>
>                 font-family: verdana , arial , tahoma;
>
>                 font-size: 11.0px;
>
> }
>
> ]]></style>
>
>
>
> __________________________________________________________
> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>
>
>
> This message may contain confidential information.  If you are not the
> intended recipient (or authorized to receive for the recipient) and received
> this message in error; any use, distribution or disclosure is strictly
> prohibited.  Please contact the sender by reply email and delete all copies
> of this message from your computer system.  The views and opinions expressed
> in this email are those of the sender and do not necessarily reflect the
> views or policies of EzRez Software, except when the sender expressly and
> with authority states them to be so.
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
This message may contain confidential information.  If you are not the intended recipient (or authorized to receive for the recipient) and received this message in error; any use, distribution or disclosure is strictly prohibited.  Please contact the sender by reply email and delete all copies of this message from your computer system.  The views and opinions expressed in this email are those of the sender and do not necessarily reflect the views or policies of EzRez Software, except when the sender expressly and with authority states them to be so.



More information about the Owasp-antisamy mailing list