[Owasp-antisamy] antisamy .NET version -- inline css style scanning

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Mon May 3 13:33:17 EDT 2010

I'm sorry to say that I don't know much about your problem. To be honest
I don't know if AntiSamy.NET is being supported by the author of the
port anymore. I have been very hands-off to the port in general.

I just want to make sure everyone's expectations are appropriate, that I
am -not- in charge of it and it probably needs some active developers to
stay alive and production ready. If you are willing to make that
commitment feel free to reach out to me. 

In the meantime, I suggest users use this list to help each other out
when they run into problems like the one you described.


-----Original Message-----
From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Raheel
Sent: Sunday, May 02, 2010 11:26 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] antisamy .NET version -- inline css style


I have a .NET web application that allows for html text to be entered by
users. We then use some of this text to generate pdf documents. Our goal
is to use antisamy .net to filter any font modification (face, size,
color) from the html they enter in order to make the pdf files we
generate to look consistent. 

Currently, I am not seeing inline css being validated property by
antisamy .net. 

Testing the following: 

<span style="text-decoration:underline">test</span>

Using the ebay policy file, this should come out untouched, but for some
reason the clean html that is returned is: 

<span style="">test</span>

Why is the text-decoration CSS property getting filtered out? The
property and the literal value "underline" is included in the ebay
policy file that is part of the .net source code I downloaded. I would
think only the CSS properties that are not included or commented out of
the CSS rules section of the policy file would be removed from inline
CSS, but this is not the case. Currently, it is behaving as if the CSS
rules section of the policy file is empty.

I poked around in the source code and it appears that the
isValidProperty function of the CSSValidator.cs isn't even being hit. I
believe that is where the inline CSS property validation would occur. Is
the inline-CSS validation in the AntiSamy .NET code available online
incomplete or something?

Any help would be appreciated.

Raheel Aidrus

Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org

More information about the Owasp-antisamy mailing list