[Owasp-antisamy] CSS level represented in the default policy files?

augustd augustd at codemagi.com
Fri Oct 15 12:46:38 EDT 2010


This might be a good way to demonstrate the new includes feature for policy
files: Move CSS2 to an included policy file, duplicate the file and add the
new rules for CSS2.1, and include that in the default policy file.

-August


On Fri, Oct 15, 2010 at 7:49 AM, Jason Li <jason.li at owasp.org> wrote:

> Arshan,
>
> The properties in the AntiSamy file are based on CSS2 - when constructing
> the policy file, I actually parsed the CSS2 property table (
> http://www.w3.org/TR/2008/REC-CSS2-20080411/propidx.htmll<http://www.w3.org/TR/CSS2/propidx.html>)
> and with the exception of a few properties (mostly related to aural CSS
> stuff), they should all be there. The addition of Orange as a color came in
> CSS2.1.
>
> Scanning very quickly over CSS2.1, I don't *believe* there are any new
> properties in CSS2.1 vs CSS2 from a validation standpoint. There's just the
> addition of a six more "allowed" values which which is a quick and easy
> change to the policy file:
> http://www.w3.org/TR/CSS2/changes.html#new
>
> These are:
> New color value: 'orange'
> New 'display' value: 'inline-block'
> New 'content' values 'none' and 'normal'.
> New 'white-space' values: 'pre-wrap' and 'pre-line'
> New 'cursor' value: 'progress'
>
> Paul - are there any other changes or shortcomings in the policy file that
> you're aware of to bring it up to CSS2.1?
>
> -Jason
>
>
> On Fri, Oct 15, 2010 at 10:32 AM, Arshan Dabirsiaghi <
> arshan.dabirsiaghi at aspectsecurity.com> wrote:
>
>> Yes, the CSS is getting a bit dated. I haven't looked at updating them.
>> Based on your knowledge of CSS, do you think this will be a big effort?
>>
>> Arshan
>>
>> -----Original Message-----
>> From: owasp-antisamy-bounces at lists.owasp.org
>> [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Paul Curren
>> Sent: Friday, October 15, 2010 6:58 AM
>> To: owasp-antisamy at lists.owasp.org
>> Subject: [Owasp-antisamy] CSS level represented in the default policy
>> files?
>>
>> Hi there.
>>
>> I'm using a policy file based on one of the included demo policy files.
>> It looks to me that these policy files are based on CSS 1 (16 colour
>> names instead of 17, etc).
>>
>> Is that correct? And if so is there any plan to update them to cover CSS
>> 2.1 styles?
>>
>> Thanks,
>>
>> Paul C
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20101015/9af3c66f/attachment.html 


More information about the Owasp-antisamy mailing list