[owasp-antisamy] inline style css font cannot pass security problem

peter fan saaspeter at gmail.com
Wed Apr 18 09:12:02 UTC 2012


Hi all:



   I use antisamy to check input string:   * <table><tbody><tr><td
align="left" style="font: 11px/16px;"
valign="top"></td></tr></tbody></table>*

   Security check cannot pass, the error message is : The td tag had a
style attribute, "font", that could not be allowed for security reasons.

   And my antisamy rule is like this, also I refer to the previous archive
email:  “[Owasp-antisamy] inline style problem ”(Tue Mar 17 12:11:32 EDT
2009) ,

   So I add css rule, but still cannot pass the inline font style



   Could anyone help me on this?



Thanks & Regards

-Peter



 <anti-samy-rules xmlns:xsi=*"http://www.w3.org/2001/XMLSchema-instance"*
xsi:noNamespaceSchemaLocation=*"antisamy.xsd"*>



    <directives>

        <directive name=*"omitXmlDeclaration"* value=*"true"*/>

        <directive name=*"omitDoctypeDeclaration"* value=*"true"*/>

        <directive name=*"maxInputSize"* value=*"10000"*/>

        <directive name=*"useXHTML"* value=*"true"*/>

        <directive name=*"formatOutput"* value=*"true"*/>

        <directive name=*"embedStyleSheets"* value=*"false"*/>

    </directives>



    <common-regexps>

        <regexp name=*"letternumber"* value=*"[A-Za-z0-9\s_/:;#\$-]+"*/>

    </common-regexps>



    <common-attributes>

        <attribute name=*"style"*>

             <regexp-list>

                <regexp name=*"letternumber"*/>

            </regexp-list>

        </attribute>

    </common-attributes>



    <global-tag-attributes>

    </global-tag-attributes>



    <tag-rules>



        <tag name=*"table"* action=*"validate"*>

         <attribute name=*"noresize"*>

           <literal-list>

             <literal value=*"noresize"* />

             <literal value=*""* />

           </literal-list>

         </attribute>

       </tag>



       <tag name=*"td"* action=*"validate"*>

        <property name=*"style"* />

       </tag>



       <tag name=*"tbody"* action=*"validate"*>

        </tag>



    </tag-rules>



    <css-rules>

        <property name=*"font-size"* default=*"medium"* description=*""*>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"inherit"* />

         </literal-list>

         <regexp-list>

           <regexp name=*"absolute-size"* />

           <regexp name=*"relative-size"* />

           <regexp name=*"length"* />

           <regexp name=*"percentage"* />

         </regexp-list>

       </property>

      <property name=*"font-color"* description=*""*>

         <category-list>

            <category value=*"visual"* />

         </category-list>

         <regexp-list>

            <regexp name=*"colorName"* />

            <regexp name=*"colorCode"* />

            <regexp name=*"rgbCode"* />

            <regexp name=*"systemColor"* />

         </regexp-list>

      </property>

       <property name=*"font-size-adjust"* default=*"none"* description=*""*
>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"none"* />

           <literal value=*"inherit"* />

         </literal-list>

         <regexp-list>

           <regexp name=*"number"* />

         </regexp-list>

       </property>



       <property name=*"font-style"* default=*"normal"* description=*""*>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"normal"* />

           <literal value=*"italic"* />

           <literal value=*"oblique"* />

           <literal value=*"inherit"* />

         </literal-list>

       </property>

       <property name=*"font-variant"* default=*"normal"* description=*""*>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"normal"* />

           <literal value=*"small-caps"* />

           <literal value=*"inherit"* />

         </literal-list>

       </property>

       <property name=*"font-weight"* default=*"normal"* description=*""*>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"normal"* />

           <literal value=*"bold"* />

           <literal value=*"bolder"* />

           <literal value=*"lighter"* />

           <literal value=*"100"* />

           <literal value=*"200"* />

           <literal value=*"300"* />

           <literal value=*"400"* />

           <literal value=*"500"* />

           <literal value=*"600"* />

           <literal value=*"700"* />

           <literal value=*"800"* />

           <literal value=*"900"* />

           <literal value=*"inherit"* />

         </literal-list>

       </property>

       <property name=*"font"* >

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <literal-list>

           <literal value=*"/"* />

           <literal value=*"caption"* />

           <literal value=*"icon"* />

           <literal value=*"menu"* />

           <literal value=*"message-box"* />

           <literal value=*"small-caption"* />

           <literal value=*"status-bar"* />

           <literal value=*"inherit"* />

         </literal-list>

         <shorthand-list>

           <shorthand name=*"font-style"* />

           <shorthand name=*"font-variant"* />

           <shorthand name=*"font-weight"* />

           <shorthand name=*"font-size"* />

         <shorthand name=*"font-color"* />

           <shorthand name=*"line-height"* />

           <shorthand name=*"font-family"* />

         </shorthand-list>

       </property>

       <property name=*"font-family"*>

         <category-list>

           <category value=*"visual"* />

         </category-list>

         <!-- allowing only generic font families -->

         <literal-list>

           <literal value=*"serif"* />

           <literal value=*"Arial"* />

           <literal value=*"lucida console"* />

           <literal value=*"sans-serif"* />

           <literal value=*"cursive"* />

           <literal value=*"verdana"* />

           <literal value=*"fantasy"* />

           <literal value=*"monospace"* />

         <!-- Customized font family -->

         <literal value=*"Helvetica"* />

         </literal-list>

         <regexp-list>

           <regexp value=*"[\w,\-'" ]+"* />

         </regexp-list>

       </property>



    </css-rules>

</anti-samy-rules>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120418/ae01507b/attachment-0001.html>


More information about the Owasp-antisamy mailing list