[owasp-antisamy] inline style css font cannot pass security problem

peter fan saaspeter at gmail.com
Thu Apr 19 14:54:32 UTC 2012


thank your reply. when I add the regex value in font, it also failed. like
this:

    <common-regexps>****

        <regexp name=*"letternumber"* value=*"[A-Za-z0-9\s_/:;#\$-]+"*/>
****

    </common-regexps>......

    <common-attributes>

        ......

        <attribute name="style" description="" >

           <regexp-list>

              <regexp name="letternumber"/>

            </regexp-list>

        </attribute>

        ......

    <common-attributes>

    <css-rules>

     <property name="font" description="">

        <category-list>

           <category value="visual" />

        </category-list>

        <literal-list>

           <literal value="/" />

           ......

        </literal-list>

        <shorthand-list>

           ......

        </shorthand-list>

        <regexp-list>

          <regexp name="letternumber" />

        </regexp-list>

    </property>

  </css-rules>



2012/4/19 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>

> Your rule for font is all literal values. You’ll need to add a regex value
> that matches the input you desire.****
>
> ** **
>
>        <property name=*"font"* >****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"/"* />****
>
>            <literal value=*"caption"* />****
>
>            <literal value=*"icon"* />****
>
>            <literal value=*"menu"* />****
>
>            <literal value=*"message-box"* />****
>
>            <literal value=*"small-caption"* />****
>
>            <literal value=*"status-bar"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>          <shorthand-list>****
>
>            <shorthand name=*"font-style"* />****
>
>            <shorthand name=*"font-variant"* />****
>
>            <shorthand name=*"font-weight"* />****
>
>            <shorthand name=*"font-size"* />****
>
>            <shorthand name=*"font-color"* />****
>
>            <shorthand name=*"line-height"* />****
>
>            <shorthand name=*"font-family"* />****
>
>          </shorthand-list>****
>
>        </property>****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* owasp-antisamy-bounces at lists.owasp.org [mailto:
> owasp-antisamy-bounces at lists.owasp.org] *On Behalf Of *peter fan
> *Sent:* Wednesday, April 18, 2012 5:12 AM
> *To:* owasp-antisamy at lists.owasp.org
> *Subject:* [owasp-antisamy] inline style css font cannot pass security
> problem****
>
> ** **
>
> Hi all:****
>
>  ****
>
>    I use antisamy to check input string:   * <table><tbody><tr><td
> align="left" style="font: 11px/16px;"
> valign="top"></td></tr></tbody></table>*****
>
>    Security check cannot pass, the error message is : The td tag had a
> style attribute, "font", that could not be allowed for security reasons.**
> **
>
>    And my antisamy rule is like this, also I refer to the previous archive
> email:  “[Owasp-antisamy] inline style problem ”(Tue Mar 17 12:11:32 EDT
> 2009) ,****
>
>    So I add css rule, but still cannot pass the inline font style****
>
>  ****
>
>    Could anyone help me on this?****
>
>  ****
>
> Thanks & Regards****
>
> -Peter****
>
>  ****
>
>  <anti-samy-rules xmlns:xsi=*"http://www.w3.org/2001/XMLSchema-instance"*
> xsi:noNamespaceSchemaLocation=*"antisamy.xsd"*>****
>
>   ****
>
>     <directives>****
>
>         <directive name=*"omitXmlDeclaration"* value=*"true"*/>****
>
>         <directive name=*"omitDoctypeDeclaration"* value=*"true"*/>****
>
>         <directive name=*"maxInputSize"* value=*"10000"*/>****
>
>         <directive name=*"useXHTML"* value=*"true"*/>****
>
>         <directive name=*"formatOutput"* value=*"true"*/>****
>
>         <directive name=*"embedStyleSheets"* value=*"false"*/>****
>
>     </directives>****
>
>   ****
>
>     <common-regexps>****
>
>         <regexp name=*"letternumber"* value=*"[A-Za-z0-9\s_/:;#\$-]+"*/>
>     ****
>
>     </common-regexps>****
>
>   ****
>
>     <common-attributes>****
>
>         <attribute name=*"style"*>****
>
>              <regexp-list>****
>
>                 <regexp name=*"letternumber"*/>****
>
>             </regexp-list>****
>
>         </attribute>****
>
>     </common-attributes>****
>
>   ****
>
>     <global-tag-attributes>****
>
>     </global-tag-attributes>****
>
>   ****
>
>     <tag-rules>****
>
>                       ****
>
>         <tag name=*"table"* action=*"validate"*>****
>
>          <attribute name=*"noresize"*>****
>
>            <literal-list>****
>
>              <literal value=*"noresize"* />****
>
>              <literal value=*""* />****
>
>            </literal-list>****
>
>          </attribute>****
>
>        </tag>****
>
>       ****
>
>        <tag name=*"td"* action=*"validate"*>****
>
>         <property name=*"style"* />****
>
>        </tag>****
>
>       ****
>
>        <tag name=*"tbody"* action=*"validate"*>****
>
>         </tag>****
>
>               ****
>
>     </tag-rules>****
>
>   ****
>
>     <css-rules>****
>
>         <property name=*"font-size"* default=*"medium"* description=*""*>*
> ***
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>          <regexp-list>****
>
>            <regexp name=*"absolute-size"* />****
>
>            <regexp name=*"relative-size"* />****
>
>            <regexp name=*"length"* />****
>
>            <regexp name=*"percentage"* />****
>
>          </regexp-list>****
>
>        </property>****
>
>       <property name=*"font-color"* description=*""*>****
>
>          <category-list>****
>
>             <category value=*"visual"* />****
>
>          </category-list>****
>
>          <regexp-list>****
>
>             <regexp name=*"colorName"* />****
>
>             <regexp name=*"colorCode"* />****
>
>             <regexp name=*"rgbCode"* />****
>
>             <regexp name=*"systemColor"* />****
>
>          </regexp-list>****
>
>       </property>****
>
>        <property name=*"font-size-adjust"* default=*"none"* description=*
> ""*>****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"none"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>          <regexp-list>****
>
>            <regexp name=*"number"* />****
>
>          </regexp-list>****
>
>        </property>****
>
>  ****
>
>        <property name=*"font-style"* default=*"normal"* description=*""*>*
> ***
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"normal"* />****
>
>            <literal value=*"italic"* />****
>
>            <literal value=*"oblique"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>        </property>****
>
>        <property name=*"font-variant"* default=*"normal"* description=*""*
> >****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"normal"* />****
>
>            <literal value=*"small-caps"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>        </property>****
>
>        <property name=*"font-weight"* default=*"normal"* description=*""*>
> ****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"normal"* />****
>
>            <literal value=*"bold"* />****
>
>            <literal value=*"bolder"* />****
>
>            <literal value=*"lighter"* />****
>
>            <literal value=*"100"* />****
>
>            <literal value=*"200"* />****
>
>            <literal value=*"300"* />****
>
>            <literal value=*"400"* />****
>
>            <literal value=*"500"* />****
>
>            <literal value=*"600"* />****
>
>            <literal value=*"700"* />****
>
>            <literal value=*"800"* />****
>
>            <literal value=*"900"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>        </property>****
>
>        <property name=*"font"* >****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <literal-list>****
>
>            <literal value=*"/"* />****
>
>            <literal value=*"caption"* />****
>
>            <literal value=*"icon"* />****
>
>            <literal value=*"menu"* />****
>
>            <literal value=*"message-box"* />****
>
>            <literal value=*"small-caption"* />****
>
>            <literal value=*"status-bar"* />****
>
>            <literal value=*"inherit"* />****
>
>          </literal-list>****
>
>          <shorthand-list>****
>
>            <shorthand name=*"font-style"* />****
>
>            <shorthand name=*"font-variant"* />****
>
>            <shorthand name=*"font-weight"* />****
>
>            <shorthand name=*"font-size"* />****
>
>          <shorthand name=*"font-color"* />****
>
>            <shorthand name=*"line-height"* />****
>
>            <shorthand name=*"font-family"* />****
>
>          </shorthand-list>****
>
>        </property>****
>
>        <property name=*"font-family"*>****
>
>          <category-list>****
>
>            <category value=*"visual"* />****
>
>          </category-list>****
>
>          <!-- allowing only generic font families -->****
>
>          <literal-list>****
>
>            <literal value=*"serif"* />****
>
>            <literal value=*"Arial"* />****
>
>            <literal value=*"lucida console"* />****
>
>            <literal value=*"sans-serif"* />****
>
>            <literal value=*"cursive"* />****
>
>            <literal value=*"verdana"* />****
>
>            <literal value=*"fantasy"* />****
>
>            <literal value=*"monospace"* />****
>
>          <!-- Customized font family -->****
>
>          <literal value=*"Helvetica"* />****
>
>          </literal-list>****
>
>          <regexp-list>****
>
>            <regexp value=*"[\w,\-'" ]+"* />****
>
>          </regexp-list>****
>
>        </property>****
>
>   ****
>
>     </css-rules>****
>
> </anti-samy-rules>****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120419/544114a2/attachment-0001.html>


More information about the Owasp-antisamy mailing list