[owasp-antisamy] CSS Parse Exceptions

Chris Vida chris.vida at touchnet.com
Tue Mar 29 11:24:48 EDT 2011


The project I am working on requires us to allow users to upload their own CSS.  However, I have run into an issue with the way the CSS validation is happening.  It appears as though AntiSamy's CssScanner is delegating to the org.apache.batik.css.parser.Parser class to create the "clean" CSS.  Unfortunately, there is no ErrorHandler passed in to the Parser.  CSSParseExceptions are being logged to the ErrorHandler, but CssScanner never sets one, and thus does not read/detect these to add to the errorMessages.  Was this done for a specific reason?

The exact use case that is causing the issue is when the CSS contains "browser hacks" (http://www.javascriptkit.com/dhtmltutors/csshacks3.shtml).  The hacks cause a CSSParseException to be thrown, and the CSS output is then "corrected" (basically the hacks are just removed, but some hacks cause a new *{...} entry to be added).  However, there is no ErrorHandler, so these exceptions are ignored back at the CssScanner level.

If it's possible to include these exceptions in the errorMessages via an ErrorHandler, I would appreciate it.  If the decision to leave out these exceptions was based on a specific design issue, it would be very helpful if someone could elaborate.

Thanks for the help.


Confidentiality Notice: This electronic mail transmission, including any accompanying attachments, is intended solely for its authorized recipient(s). If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you received this transmission in error, immediately contact the sender and delete the contents and attachments of this message.

Note to recipient: This is an unsecured email service which is not intended for sending confidential or highly sensitive information. Confidential or highly sensitive information includes, but is not limited to, payment card information, social security numbers, and account numbers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110329/325a94eb/attachment.html 

More information about the Owasp-antisamy mailing list