[Owasp-antisamy] antisamy .NET version -- inline css style scanning

Raheel Aidrus raidrus at yahoo.com
Sun May 2 23:25:30 EDT 2010


I have a .NET web application that allows for html text to be entered by users. We then use some of this text to generate pdf documents. Our goal is to use antisamy .net to filter any font modification (face, size, color) from the html they enter in order to make the pdf files we generate to look consistent. 

Currently, I am not seeing inline css being validated property by antisamy .net. 

Testing the following: 

<span style="text-decoration:underline">test</span>

Using the ebay policy file, this should come out untouched, but for some reason the clean html that is returned is: 

<span style="">test</span>

Why is the text-decoration CSS property getting filtered out? The property and the literal value "underline" is included in the ebay policy file that is part of the .net source code I downloaded. I would think only the CSS properties that are not included or commented out of the CSS rules section of the policy file would be removed from inline CSS, but this is not the case. Currently, it is behaving as if the CSS rules section of the policy file is empty.

I poked around in the source code and it appears that the isValidProperty function of the CSSValidator.cs isn't even being hit. I believe that is where the inline CSS property validation would occur. Is the inline-CSS validation in the AntiSamy .NET code available online incomplete or something?

Any help would be appreciated.

Raheel Aidrus


More information about the Owasp-antisamy mailing list