[owasp-antisamy] inline style css font cannot pass security problem

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Apr 19 15:04:29 UTC 2012


We won't be able to debug your regex for you. Have you tested in a small
unit test elsewhere? 

 

Second, adding that regex to the common "style" attribute is wrong and
may cause problems, it should definitely be removed.

 

Third, if you're looking for a successful pattern to model, look at the
"border-color" property from the main AntiSamy policy [0] which
successfully uses a regexp-list.

 

Good luck!

Arshan

 

[0]
http://code.google.com/p/owaspantisamy/source/browse/trunk/Java/antisamy
-sample-configs/src/main/resources/antisamy.xml

 

From: peter fan [mailto:saaspeter at gmail.com] 
Sent: Thursday, April 19, 2012 10:55 AM
To: Arshan Dabirsiaghi
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] inline style css font cannot pass security
problem

 

thank your reply. when I add the regex value in font, it also failed.
like this:

 

    <common-regexps>

        <regexp name="letternumber" value="[A-Za-z0-9\s_/:;#\$-]+"/>    

    </common-regexps>......

    <common-attributes>

        ......

        <attribute name="style" description="" >

           <regexp-list>

              <regexp name="letternumber"/>

            </regexp-list>

        </attribute>

        ......

    <common-attributes>

    <css-rules>

     <property name="font" description="">

        <category-list>

           <category value="visual" />

        </category-list>

        <literal-list>

           <literal value="/" />

           ......

        </literal-list>

        <shorthand-list>

           ......        

        </shorthand-list>

        <regexp-list>

          <regexp name="letternumber" />

        </regexp-list>

    </property>

  </css-rules>

 

 

2012/4/19 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>

Your rule for font is all literal values. You'll need to add a regex
value that matches the input you desire.

 

       <property name="font" >

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="/" />

           <literal value="caption" />

           <literal value="icon" />

           <literal value="menu" />

           <literal value="message-box" />

           <literal value="small-caption" />

           <literal value="status-bar" />

           <literal value="inherit" />

         </literal-list>

         <shorthand-list>

           <shorthand name="font-style" />

           <shorthand name="font-variant" />

           <shorthand name="font-weight" />

           <shorthand name="font-size" />

           <shorthand name="font-color" />

           <shorthand name="line-height" />

           <shorthand name="font-family" />

         </shorthand-list>

       </property>

 

 

 

From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of peter fan
Sent: Wednesday, April 18, 2012 5:12 AM
To: owasp-antisamy at lists.owasp.org
Subject: [owasp-antisamy] inline style css font cannot pass security
problem

 

Hi all:

 

   I use antisamy to check input string:    <table><tbody><tr><td
align="left" style="font: 11px/16px;"
valign="top"></td></tr></tbody></table>

   Security check cannot pass, the error message is : The td tag had a
style attribute, "font", that could not be allowed for security reasons.

   And my antisamy rule is like this, also I refer to the previous
archive email:  "[Owasp-antisamy] inline style problem "(Tue Mar 17
12:11:32 EDT 2009) ,

   So I add css rule, but still cannot pass the inline font style

 

   Could anyone help me on this?

 

Thanks & Regards

-Peter

 

 <anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance> "
xsi:noNamespaceSchemaLocation="antisamy.xsd">

  

    <directives>

        <directive name="omitXmlDeclaration" value="true"/>

        <directive name="omitDoctypeDeclaration" value="true"/>

        <directive name="maxInputSize" value="10000"/>

        <directive name="useXHTML" value="true"/>

        <directive name="formatOutput" value="true"/>

        <directive name="embedStyleSheets" value="false"/>

    </directives>

  

    <common-regexps>

        <regexp name="letternumber" value="[A-Za-z0-9\s_/:;#\$-]+"/>    

    </common-regexps>

  

    <common-attributes>

        <attribute name="style">

             <regexp-list>

                <regexp name="letternumber"/>

            </regexp-list>

        </attribute>

    </common-attributes>

  

    <global-tag-attributes>

    </global-tag-attributes>

  

    <tag-rules>

                      

        <tag name="table" action="validate">

         <attribute name="noresize">

           <literal-list>

             <literal value="noresize" />

             <literal value="" />

           </literal-list>

         </attribute>

       </tag>

      

       <tag name="td" action="validate">

        <property name="style" />

       </tag>

      

       <tag name="tbody" action="validate">

        </tag>

              

    </tag-rules>

  

    <css-rules>

        <property name="font-size" default="medium" description="">

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="inherit" />

         </literal-list>

         <regexp-list>

           <regexp name="absolute-size" />

           <regexp name="relative-size" />

           <regexp name="length" />

           <regexp name="percentage" />

         </regexp-list>

       </property>

      <property name="font-color" description="">

         <category-list>

            <category value="visual" />

         </category-list>

         <regexp-list>

            <regexp name="colorName" />

            <regexp name="colorCode" />

            <regexp name="rgbCode" />

            <regexp name="systemColor" />

         </regexp-list>

      </property>

       <property name="font-size-adjust" default="none" description="">

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="none" />

           <literal value="inherit" />

         </literal-list>

         <regexp-list>

           <regexp name="number" />

         </regexp-list>

       </property>

 

       <property name="font-style" default="normal" description="">

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="normal" />

           <literal value="italic" />

           <literal value="oblique" />

           <literal value="inherit" />

         </literal-list>

       </property>

       <property name="font-variant" default="normal" description="">

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="normal" />

           <literal value="small-caps" />

           <literal value="inherit" />

         </literal-list>

       </property>

       <property name="font-weight" default="normal" description="">

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="normal" />

           <literal value="bold" />

           <literal value="bolder" />

           <literal value="lighter" />

           <literal value="100" />

           <literal value="200" />

           <literal value="300" />

           <literal value="400" />

           <literal value="500" />

           <literal value="600" />

           <literal value="700" />

           <literal value="800" />

           <literal value="900" />

           <literal value="inherit" />

         </literal-list>

       </property>

       <property name="font" >

         <category-list>

           <category value="visual" />

         </category-list>

         <literal-list>

           <literal value="/" />

           <literal value="caption" />

           <literal value="icon" />

           <literal value="menu" />

           <literal value="message-box" />

           <literal value="small-caption" />

           <literal value="status-bar" />

           <literal value="inherit" />

         </literal-list>

         <shorthand-list>

           <shorthand name="font-style" />

           <shorthand name="font-variant" />

           <shorthand name="font-weight" />

           <shorthand name="font-size" />

         <shorthand name="font-color" />

           <shorthand name="line-height" />

           <shorthand name="font-family" />

         </shorthand-list>

       </property>

       <property name="font-family">

         <category-list>

           <category value="visual" />

         </category-list>

         <!-- allowing only generic font families -->

         <literal-list>

           <literal value="serif" />

           <literal value="Arial" />

           <literal value="lucida console" />

           <literal value="sans-serif" />

           <literal value="cursive" />

           <literal value="verdana" />

           <literal value="fantasy" />

           <literal value="monospace" />

         <!-- Customized font family -->

         <literal value="Helvetica" />

         </literal-list>

         <regexp-list>

           <regexp value="[\w,\-'" ]+" />

         </regexp-list>

       </property>

  

    </css-rules>

</anti-samy-rules>

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120419/50a66fa0/attachment-0001.html>


More information about the Owasp-antisamy mailing list