[Owasp-antisamy] HTML & CSS Formatting Issues

Luke Bunselmeyer LBunselmeyer at EZREZ.COM
Wed May 13 14:09:19 EDT 2009


Done.

http://code.google.com/p/owaspantisamy/issues/detail?id=44

Thanks,
Luke

-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Monday, May 11, 2009 9:15 PM
To: Luke Bunselmeyer
Cc: Jason Li; owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] HTML & CSS Formatting Issues

Luke,

This is indeed a bug. Can you create an issue on the Google Code  
issues list so that it doesn't get list?

Thanks,
Arshan



On May 8, 2009, at 8:20 PM, "Luke Bunselmeyer"  
<LBunselmeyer at EZREZ.COM> wrote:

> Hi Jason,
>
> Thanks for the quick reply. Although, the CSS output is functionally  
> equivalent, it's like nails on a chalkboard to our web developers.   
> However, I can appreciate the canonicalization and serialization  
> issues.
>
> Rather than using the cleaned HTML, I am looking for ways to throw  
> an exception on a validation failure (ie remove or truncate).  I was  
> hoping that all validation failures would be logged to  
> errorMessages, but this does not seem to be the case.  Specifically,  
> the anchor tag below throws an exception but the iframe tag does  
> not.  Is there another way to determine if AntiSamy removed or  
> truncated any content?
>
>    Exception from line 5
>    <a href="javascript:alert('hacked!');">click me</a>
>
>    No Exception
>    <iframe src='http://www.google.com'></iframe>
>
>
> 1.    AntiSamy antiSamy = new AntiSamy();
> 2.    CleanResults cleanResults = antiSamy.scan(canonical,  
> SLASHDOT_POLICY);
> 3.
> 4.    if(!cleanResults.getErrorMessages().isEmpty()) {
> 5.        throw getException(name);
> 6.    }
>
>
> Thanks again,
> Luke
>
> ________________________________________________________________
> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>
> -----Original Message-----
> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf  
> Of Jason Li
> Sent: Friday, May 08, 2009 12:27 PM
> To: Luke Bunselmeyer
> Cc: owasp-antisamy at lists.owasp.org
> Subject: Re: [Owasp-antisamy] HTML & CSS Formatting Issues
>
> Currently, output goes through a canonicalization/serialization  
> process.
>
> The use of decimals, rgb, CDATA, or fully qualified selectors
> shouldn't have an adverse effect on the display. Functionally, the CSS
> output that you identified should be visually equivalent as they are
> all legal HTML/CSS syntax.
>
> There have been multiple requests in the past to make the format of
> attributes look like XYZ and unfortunately, it's difficult to provide
> the flexibility to canonicalize and serialize the output in a way that
> everyone is happy.
>
> We'd be interested to hear if any of these equivalents don't match up
> visually. But barring that, it would take some effort and as a result,
> some persuasion for us to implement some kind of framework to support
> various different styles of canonicalization.
>
> The hex code vs. RGB color is the most frequently mentioned
> canonicalization that is up for possible inclusion in a future
> release:
> http://code.google.com/p/owaspantisamy/issues/detail?id=42
>
> Do you see a need for any of these other attributes to be
> canonicalized one way versus another?
> --
> -Jason Li-
> -jason.li at owasp.org-
>
>
>
> On Fri, May 8, 2009 at 2:54 PM, Luke Bunselmeyer
<LBunselmeyer at ezrez.com 
> > wrote:
>> Hello,
>>
>>
>>
>> I'm trying out AntiSamy.  So far the tool is very promising.  I was  
>> testing
>> the ebay policy, and I noticed some issues with the cleaned HTML  
>> and CSS.
>> See the details below.   Are there any configurations to control this
>> output?
>>
>>
>>
>> Thanks in advance,
>>
>> Luke
>>
>>
>>
>> Policy: antisamy-ebay-1.3.xml
>>
>>
>>
>> == HTML Issues ==
>>
>> * Styling: Pixel witdths are formated with decimal precision.  IS:  
>> 1.0px,
>> Should Be: 1px;
>>
>> * Whitespace: Original line breaks are stripped.
>>
>>
>>
>> == Dirty HTML ==
>>
>> <div style="border: 1px solid red;background-color:pink;padding:  
>> 5px;"
>> onclick="alert('EzWhat?  EzRez!');">
>>
>>   <h3>Title</h3>
>>
>>
>>
>>   <p>Here is some super fun user content! Yeah!</p>
>>
>>
>>
>>   <a href="#" onclick="alert('Look an alert!')">Click Me!</a>
>>
>> </div>
>>
>>
>>
>> == Cleaned HTML ==
>>
>> <div style="border: 1.0px solid red;padding: 5.0px;">
>>
>>   <h3>Title</h3>
>>
>>   <p>Here is some super fun user content! Yeah!</p>
>>
>>   <a href="#">Click Me!</a></div>
>>
>>
>>
>> == CSS Issues ==
>>
>> * <![CDATA ]]> tag inserted into style tag.
>>
>> * Pixel witdths are formated with decimal precision.  IS: 1.0px,  
>> Should Be:
>> 1px;
>>
>> * Class selectors formated with * prefix.  Is: *.blue {}, Should  
>> Be: .blue
>> {}
>>
>> * Hex colors are formatted with rgb method. Is: rgb(255,255,255),  
>> Should Be:
>> #ffffff
>>
>> * Comments are stripped
>>
>>
>>
>> == Dirty CSS ==
>>
>> <style>
>>
>> BODY {
>>
>>   background-color: #ffffff;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 10px;
>>
>>   margin-bottom: 0;
>>
>>   margin-left: 0;
>>
>>   margin-right: 0;
>>
>>   margin-top: 0;
>>
>> }
>>
>>
>>
>> /*a {color:#017DDE; font-family: verdana, arial, tahoma; font-size:  
>> 10px;
>> font-weight : bold;}*/
>>
>> p, ol, ul, li, i, td {
>>
>>   color: #000000;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 10px;
>>
>> }
>>
>>
>>
>> .blue {
>>
>>   color: #000000;
>>
>>   font-family: verdana, arial, tahoma;
>>
>>   font-size: 11px;
>>
>> }
>>
>> </style>
>>
>>
>>
>> == Cleaned CSS ==
>>
>> <style><![CDATA[BODY {
>>
>>                 background-color: rgb(255,255,255);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 10.0px;
>>
>>                 margin-bottom: 0;
>>
>>                 margin-left: 0;
>>
>>                 margin-right: 0;
>>
>>                 margin-top: 0;
>>
>> }
>>
>> p, ol, ul, li, i, td {
>>
>>                 color: rgb(0,0,0);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 10.0px;
>>
>> }
>>
>>
>>
>> *.blue {
>>
>>                 color: rgb(0,0,0);
>>
>>                 font-family: verdana , arial , tahoma;
>>
>>                 font-size: 11.0px;
>>
>> }
>>
>> ]]></style>
>>
>>
>>
>> __________________________________________________________
>> Luke Bunselmeyer || Sr Web Developer || EzRez Software, Inc.
>> Tel: 415.541.9100 x2067  || Fax: 415.541.9888  ||  www.ezrez.com
>>
>>
>>
>> This message may contain confidential information.  If you are not  
>> the
>> intended recipient (or authorized to receive for the recipient) and  
>> received
>> this message in error; any use, distribution or disclosure is  
>> strictly
>> prohibited.  Please contact the sender by reply email and delete  
>> all copies
>> of this message from your computer system.  The views and opinions  
>> expressed
>> in this email are those of the sender and do not necessarily  
>> reflect the
>> views or policies of EzRez Software, except when the sender  
>> expressly and
>> with authority states them to be so.
>>
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
> This message may contain confidential information.  If you are not  
> the intended recipient (or authorized to receive for the recipient)  
> and received this message in error; any use, distribution or  
> disclosure is strictly prohibited.  Please contact the sender by  
> reply email and delete all copies of this message from your computer  
> system.  The views and opinions expressed in this email are those of  
> the sender and do not necessarily reflect the views or policies of  
> EzRez Software, except when the sender expressly and with authority  
> states them to be so.
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
This message may contain confidential information.  If you are not the intended recipient (or authorized to receive for the recipient) and received this message in error; any use, distribution or disclosure is strictly prohibited.  Please contact the sender by reply email and delete all copies of this message from your computer system.  The views and opinions expressed in this email are those of the sender and do not necessarily reflect the views or policies of EzRez Software, except when the sender expressly and with authority states them to be so.



More information about the Owasp-antisamy mailing list