[Owasp-antisamy] Leave attribute value untouched

Ricardo Lopes rjlopes at gmail.com
Mon May 25 10:13:30 EDT 2009


Last week is removed the "if" block on the code of AntiSamyDOMScanner.cs (~
line 185):
if ("style".Equals(name.ToLower()) && attr != null)

That way I can validate the style attribute as if it was another attribute.
I know the latest version of AntiSamy adds css rules but I can't update to
that version because of the dependency of Flute that requires vjslib and
that doesn't work on Mono.


2009/5/14 Ricardo Lopes <rjlopes at gmail.com>

> Hi, the attribute remains, but the content is empty.
>
> Here is an example:
>
> Before:
> -------
> just a test, <span class="Apple-style-span" style="font-weight:
> bold;">this is bold</span>,<span class="Apple-style-span"
> style="font-style: italic;">this italic</span>, <span
> class="Apple-style-span" style="text-decoration: underline;">and
> underline</span><div style="text-align:
> center;">centered</div><div>left</div><div style="text-align:
> right;">right</div><div style="text-align:
> left;">END.</div><div><br></div>
>
> After:
> -------
> just a test, <span style="">this is bold</span>,<span style="">this
> italic</span>, <span style="">and underline</span><div
> style="">centered</div><div>left</div><div style="">right</div><div
> style="">END.</div><div><br /></div>
>
> I created a custom policy file to match the valid elements I have on a
> wysiwyg editor (jwysiwyg), the policy file is included as attachment.
> In this file I declared the style on the common-attributes section and
> reference it on the global-tag-attributes, there are also some
> css-rules defined but as the .NET antisamy version I use doesn't
> include flute I think it should be ignored.
>
> Thanks,
> Ricardo Lopes.
>
> 2009/5/13 Jerry Hoff <jerry.hoff at aspectsecurity.com>:
> > Hi Ricardo,
> >
> > I'll have to look into it.  The whole style attribute is being trimmed?
> So
> > are you left with just style="" ?
> >
> > Jerry
> >
> > -----Original Message-----
> > From: owasp-antisamy-bounces at lists.owasp.org on behalf of Ricardo Lopes
> > Sent: Wed 5/13/2009 12:19 PM
> > To: owasp-antisamy at lists.owasp.org
> > Subject: [Owasp-antisamy] Leave attribute value untouched
> >
> > Hi,
> >
> > I am using the .Net version of Antisamy (before Flute).
> >
> > What do I have to do on the policy file to prevent antisamy from
> > trimming the style attribute value from the tags?
> >
> > Thanks,
> > Ricardo Lopes.
> > _______________________________________________
> > Owasp-antisamy mailing list
> > Owasp-antisamy at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> >
> >
>
>
>
> --
>
> Ricardo Lopes
>



-- 

Ricardo Lopes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090525/bd9f67b8/attachment.html 


More information about the Owasp-antisamy mailing list