[owasp-antisamy] CSS Parse Exceptions

Jason Li jason.li at owasp.org
Tue Mar 29 11:36:28 EDT 2011


It depends on if you count "oversight" as a "specific reason" :-).

Could you add this to the AntiSamy issues list (
http://code.google.com/p/owaspantisamy/issues/list)?

-Jason

On Tue, Mar 29, 2011 at 11:24 AM, Chris Vida <chris.vida at touchnet.com>wrote:

>  Hello,
>
>
>
> The project I am working on requires us to allow users to upload their own
> CSS.  However, I have run into an issue with the way the CSS validation is
> happening.  It appears as though AntiSamy’s CssScanner is delegating to the
> org.apache.batik.css.parser.Parser class to create the “clean” CSS.
> Unfortunately, there is no ErrorHandler passed in to the Parser.
> CSSParseExceptions are being logged to the ErrorHandler, but CssScanner
> never sets one, and thus does not read/detect these to add to the
> errorMessages.  Was this done for a specific reason?
>
>
>
> The exact use case that is causing the issue is when the CSS contains
> “browser hacks” (http://www.javascriptkit.com/dhtmltutors/csshacks3.shtml).
> The hacks cause a CSSParseException to be thrown, and the CSS output is then
> “corrected” (basically the hacks are just removed, but some hacks cause a
> new *{…} entry to be added).  However, there is no ErrorHandler, so these
> exceptions are ignored back at the CssScanner level.
>
>
>
> If it’s possible to include these exceptions in the errorMessages via an
> ErrorHandler, I would appreciate it.  If the decision to leave out these
> exceptions was based on a specific design issue, it would be very helpful if
> someone could elaborate.
>
>
>
> Thanks for the help.
>
>
>
>
>  _________________________________________________________________
>
> *Confidentiality Notice:* This electronic mail transmission, including any
> accompanying attachments, is intended solely for its authorized
> recipient(s). If you are not the intended recipient, please be aware that
> any disclosure, copying, distribution or use of the contents of this message
> is strictly prohibited. If you received this transmission in error,
> immediately contact the sender and delete the contents and attachments of
> this message.
>
> Note to recipient: This is an unsecured email service which is not intended
> for sending confidential or highly sensitive information. Confidential or
> highly sensitive information includes, but is not limited to, payment card
> information, social security numbers, and account numbers.
> _________________________________________________________________
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110329/26459d19/attachment.html 


More information about the Owasp-antisamy mailing list