[Owasp-antisamy] HTML & CSS Formatting Issues

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue May 12 00:14:55 EDT 2009


Luke,

This is indeed a bug. Can you create an issue on the Google Code  
issues list so that it doesn't get list?

Thanks,
Arshan



On May 8, 2009, at 8:20 PM, "Luke Bunselmeyer"  
<LBunselmeyer at EZREZ.COM> wrote:

> Hi Jason,
>
> Thanks for the quick reply. Although, the CSS output is functionally  
> equivalent, it's like nails on a chalkboard to our web developers.   
> However, I can appreciate the canonicalization and serialization  
> issues.
>
> Rather than using the cleaned HTML, I am looking for ways to throw  
> an exception on a validation failure (ie remove or truncate).  I was  
> hoping that all validation failures would be logged to  
> errorMessages, but this does not seem to be the case.  Specifically,  
> the anchor tag below throws an exception but the iframe tag does  
> not.  Is there another way to determine if AntiSamy removed or  
> truncated any content?
>
>    Exception from line 5
>    <a href="javascript:alert('hacked!');">click me</a>
>
>    No Exception
>    <iframe src='http://www.google.com'></iframe>
>
>
> 1.    AntiSamy antiSamy = new AntiSamy();
> 2.    CleanResults cleanResults = antiSamy.scan(canonical,  
> SLASHDOT_POLICY);
> 3.
> 4.    if(!cleanResults.getErrorMessages().isEmpty()) {
> 5.        throw getException(name);
> 6.    }
>
>
> Thanks again,
> Luke
>
> ________________________________________________________________
> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>
> -----Original Message-----
> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf  
> Of Jason Li
> Sent: Friday, May 08, 2009 12:27 PM
> To: Luke Bunselmeyer
> Cc: owasp-antisamy at lists.owasp.org
> Subject: Re: [Owasp-antisamy] HTML & CSS Formatting Issues
>
> Currently, output goes through a canonicalization/serialization  
> process.
>
> The use of decimals, rgb, CDATA, or fully qualified selectors
> shouldn't have an adverse effect on the display. Functionally, the CSS
> output that you identified should be visually equivalent as they are
> all legal HTML/CSS syntax.
>
> There have been multiple requests in the past to make the format of
> attributes look like XYZ and unfortunately, it's difficult to provide
> the flexibility to canonicalize and serialize the output in a way that
> everyone is happy.
>
> We'd be interested to hear if any of these equivalents don't match up
> visually. But barring that, it would take some effort and as a result,
> some persuasion for us to implement some kind of framework to support
> various different styles of canonicalization.
>
> The hex code vs. RGB color is the most frequently mentioned
> canonicalization that is up for possible inclusion in a future
> release:
> http://code.google.com/p/owaspantisamy/issues/detail?id=42
>
> Do you see a need for any of these other attributes to be
> canonicalized one way versus another?
> --
> -Jason Li-
> -jason.li at owasp.org-
>
>
>
> On Fri, May 8, 2009 at 2:54 PM, Luke Bunselmeyer <LBunselmeyer at ezrez.com 
> > wrote:
>> Hello,
>>
>>
>>
>> I'm trying out AntiSamy.  So far the tool is very promising.  I was  
>> testing
>> the ebay policy, and I noticed some issues with the cleaned HTML  
>> and CSS.
>> See the details below.   Are there any configurations to control this
>> output?
>>
>>
>>
>> Thanks in advance,
>>
>> Luke
>>
>>
>>
>> Policy: antisamy-ebay-1.3.xml
>>
>>
>>
>> == HTML Issues ==
>>
>> * Styling: Pixel witdths are formated with decimal precision.  IS:  
>> 1.0px,
>> Should Be: 1px;
>>
>> * Whitespace: Original line breaks are stripped.
>>
>>
>>
>> == Dirty HTML ==
>>
>> <div style="border: 1px solid red;background-color:pink;padding:  
>> 5px;"
>> onclick="alert('EzWhat?  EzRez!');">
>>
>>   <h3>Title</h3>
>>
>>
>>
>>   <p>Here is some super fun user content! Yeah!</p>
>>
>>
>>
>>   <a href="#" onclick="alert('Look an alert!')">Click Me!</a>
>>
>> </div>
>>
>>
>>
>> == Cleaned HTML ==
>>
>> <div style="border: 1.0px solid red;padding: 5.0px;">
>>
>>   <h3>Title</h3>
>>
>>   <p>Here is some super fun user content! Yeah!</p>
>>
>>   <a href="#">Click Me!</a></div>
>>
>>
>>
>> == CSS Issues ==
>>
>> * <![CDATA ]]> tag inserted into style tag.
>>
>> * Pixel witdths are formated with decimal precision.  IS: 1.0px,  
>> Should Be:
>> 1px;
>>
>> * Class selectors formated with * prefix.  Is: *.blue {}, Should  
>> Be: .blue
>> {}
>>
>> * Hex colors are formatted with rgb method. Is: rgb(255,255,255),  
>> Should Be:
>> #ffffff
>>
>> * Comments are stripped
>>
>>
>>
>> == Dirty CSS ==
>>
>> <style>
>>
>> BODY {
>>
>>   background-color: #ffffff;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 10px;
>>
>>   margin-bottom: 0;
>>
>>   margin-left: 0;
>>
>>   margin-right: 0;
>>
>>   margin-top: 0;
>>
>> }
>>
>>
>>
>> /*a {color:#017DDE; font-family: verdana, arial, tahoma; font-size:  
>> 10px;
>> font-weight : bold;}*/
>>
>> p, ol, ul, li, i, td {
>>
>>   color: #000000;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 10px;
>>
>> }
>>
>>
>>
>> .blue {
>>
>>   color: #000000;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 11px;
>>
>> }
>>
>> </style>
>>
>>
>>
>> == Cleaned CSS ==
>>
>> <style><![CDATA[BODY {
>>
>>                 background-color: rgb(255,255,255);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 10.0px;
>>
>>                 margin-bottom: 0;
>>
>>                 margin-left: 0;
>>
>>                 margin-right: 0;
>>
>>                 margin-top: 0;
>>
>> }
>>
>> p, ol, ul, li, i, td {
>>
>>                 color: rgb(0,0,0);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 10.0px;
>>
>> }
>>
>>
>>
>> *.blue {
>>
>>                 color: rgb(0,0,0);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 11.0px;
>>
>> }
>>
>> ]]></style>
>>
>>
>>
>> __________________________________________________________
>> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
>> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>>
>>
>>
>> This message may contain confidential information.  If you are not  
>> the
>> intended recipient (or authorized to receive for the recipient) and  
>> received
>> this message in error; any use, distribution or disclosure is  
>> strictly
>> prohibited.  Please contact the sender by reply email and delete  
>> all copies
>> of this message from your computer system.  The views and opinions  
>> expressed
>> in this email are those of the sender and do not necessarily  
>> reflect the
>> views or policies of EzRez Software, except when the sender  
>> expressly and
>> with authority states them to be so.
>>
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
> This message may contain confidential information.  If you are not  
> the intended recipient (or authorized to receive for the recipient)  
> and received this message in error; any use, distribution or  
> disclosure is strictly prohibited.  Please contact the sender by  
> reply email and delete all copies of this message from your computer  
> system.  The views and opinions expressed in this email are those of  
> the sender and do not necessarily reflect the views or policies of  
> EzRez Software, except when the sender expressly and with authority  
> states them to be so.
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy


More information about the Owasp-antisamy mailing list