[Owasp-antisamy] CSS level represented in the default policy files?

Jason Li jason.li at owasp.org
Fri Oct 15 10:49:59 EDT 2010


Arshan,

The properties in the AntiSamy file are based on CSS2 - when constructing
the policy file, I actually parsed the CSS2 property table (
http://www.w3.org/TR/2008/REC-CSS2-20080411/propidx.htmll<http://www.w3.org/TR/CSS2/propidx.html>)
and with the exception of a few properties (mostly related to aural CSS
stuff), they should all be there. The addition of Orange as a color came in
CSS2.1.

Scanning very quickly over CSS2.1, I don't *believe* there are any new
properties in CSS2.1 vs CSS2 from a validation standpoint. There's just the
addition of a six more "allowed" values which which is a quick and easy
change to the policy file:
http://www.w3.org/TR/CSS2/changes.html#new

These are:
New color value: 'orange'
New 'display' value: 'inline-block'
New 'content' values 'none' and 'normal'.
New 'white-space' values: 'pre-wrap' and 'pre-line'
New 'cursor' value: 'progress'

Paul - are there any other changes or shortcomings in the policy file that
you're aware of to bring it up to CSS2.1?

-Jason

On Fri, Oct 15, 2010 at 10:32 AM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

> Yes, the CSS is getting a bit dated. I haven't looked at updating them.
> Based on your knowledge of CSS, do you think this will be a big effort?
>
> Arshan
>
> -----Original Message-----
> From: owasp-antisamy-bounces at lists.owasp.org
> [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Paul Curren
> Sent: Friday, October 15, 2010 6:58 AM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] CSS level represented in the default policy
> files?
>
> Hi there.
>
> I'm using a policy file based on one of the included demo policy files.
> It looks to me that these policy files are based on CSS 1 (16 colour
> names instead of 17, etc).
>
> Is that correct? And if so is there any plan to update them to cover CSS
> 2.1 styles?
>
> Thanks,
>
> Paul C
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20101015/1b21f362/attachment.html 


More information about the Owasp-antisamy mailing list