[Owasp-antisamy] CSS level represented in the default policy files?

Paul Curren pcurren at atlassian.com
Fri Oct 15 13:21:47 EDT 2010


Thanks for that Jason.

I actually hadn't looked into this in any more depth than my initial observation that some of the valid values where out of date. So I have nothing to add :-)

Paul C



On 15/10/2010, at 3:49 PM, Jason Li wrote:

> Arshan,
> 
> The properties in the AntiSamy file are based on CSS2 - when constructing the policy file, I actually parsed the CSS2 property table (http://www.w3.org/TR/2008/REC-CSS2-20080411/propidx.htmll) and with the exception of a few properties (mostly related to aural CSS stuff), they should all be there. The addition of Orange as a color came in CSS2.1.
> 
> Scanning very quickly over CSS2.1, I don't *believe* there are any new properties in CSS2.1 vs CSS2 from a validation standpoint. There's just the addition of a six more "allowed" values which which is a quick and easy change to the policy file:
> http://www.w3.org/TR/CSS2/changes.html#new
> 
> These are:
> New color value: 'orange'
> New 'display' value: 'inline-block'
> New 'content' values 'none' and 'normal'.
> New 'white-space' values: 'pre-wrap' and 'pre-line'
> New 'cursor' value: 'progress'
> 
> Paul - are there any other changes or shortcomings in the policy file that you're aware of to bring it up to CSS2.1? 
> 
> -Jason
> 
> On Fri, Oct 15, 2010 at 10:32 AM, Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com> wrote:
> Yes, the CSS is getting a bit dated. I haven't looked at updating them.
> Based on your knowledge of CSS, do you think this will be a big effort?
> 
> Arshan
> 
> -----Original Message-----
> From: owasp-antisamy-bounces at lists.owasp.org
> [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Paul Curren
> Sent: Friday, October 15, 2010 6:58 AM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] CSS level represented in the default policy
> files?
> 
> Hi there.
> 
> I'm using a policy file based on one of the included demo policy files.
> It looks to me that these policy files are based on CSS 1 (16 colour
> names instead of 17, etc).
> 
> Is that correct? And if so is there any plan to update them to cover CSS
> 2.1 styles?
> 
> Thanks,
> 
> Paul C
> 
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20101015/f8596e9e/attachment.html 


More information about the Owasp-antisamy mailing list