Hi there,
I'm looking to create my own custom schema to allow both css properties that aren't included in CssSchema.java (e.g. align-content), and also values that aren't listed either (e.g. background 'url' value).I understand anything left out of the class was left out for good reason, but I have a requirement to implement a more lenient CSS whitelist to preserve existing data.From looking through the code it looks like this could be quite an involved process.To get the ball rolling though, what is the 'bits' variable in a Property object? What function do they serve? How will I figure out the correct 'bits' value for css properties that aren't included in the file?
I'm assuming the bits var is not an indication of how many bits the value can use in memory as some of the properties are declared with 0 bitsCan you recommend some reading / articles discussing this approach to bits / bit fields?
--Thanks!
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Oh another probably more important step,Is it even possible to create a CssSchema with custom properties that aren't defined in your class? I see the constructor is private and the only other methods that return CssSchema are withProperties (which will throw an IllegalArgumentException if you pass it a property not defined in the class) and union (which requires the CssSchema objects as params).
I could be entirely wrong, but it seems to me the only way to create custom CssSchemas with custom Properties (i.e. those not included in CssSchema.DEFINITIONS) would be to hack the actual jar itself no?
Cheers!
On Monday, March 26, 2018 at 4:52:17 PM UTC+1, John Wynne wrote:Thanks for the reply!, so I just want to make sure I'm correct in my thinking before moving forwardThe property border-spacing has a bits value of '5',this means that (ignoring the literals & functions) border-spacing can accept Quantity values which may be negative
([BIT_NEGATIVE=4] + [BIT_QUANTITY=1]) = 5
Similarly, font-family has a bits value of 72meaning it can accept Unreserved words and strings ([BIT_UNRESERVED_WORD=64] + [BIT_STRING=8]) = 72
Thus overflow which has a bits value of 0 can accept nothing (again, ignoring literals & functions)
But what about those like color(bits=258) or cursor(bits=272)? Would we not require a BIT_* field representing 256? What values can these properties accept?
Also I can't see where the BIT_UNICODE_RANGE field is ever used in StylingPolicy or elsewhere, is it used?
I want to put something out there that was discussed at a
conference I'm at.
If you're accepting CSS from a user, this is something heavily discouraged and there is no good way to lock this down. CSS can be used to clobber existing CSS, modify major portions of the page, and much worse. This set of features is something Mike supports because it's asked about so much, but it's a sign of very bad design that is going to be dangerous no matter how much we validate un-trusted CSS.
We advise staging up CSS that is static and allow untrusted HTML
to only reference those classes instead of providing new CSS
style.
With respect,
Jim
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
I want to put something out there that was discussed at a conference I'm at.
If you're accepting CSS from a user, this is something heavily discouraged and there is no good way to lock this down.
CSS can be used to clobber existing CSS, modify major portions of the page, and much worse.
This set of features is something Mike supports because it's asked about so much, but it's a sign of very bad design that is going to be dangerous no matter how much we validate un-trusted CSS.
We advise staging up CSS that is static and allow untrusted HTML to only reference those classes instead of providing new CSS style.
This is very helpful information Mike, I'll add it to the wiki.
Aloha, Jim
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Jim Manico Manicode Security https://www.manicode.com
I added a brief note about this on the wiki.
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project#tab=CSS_Sanitization
Aloha, Jim
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Jim Manico Manicode Security https://www.manicode.com
"There's always Method.setAccessible but lets not encourage that :)I'll put out a version that provides access."
--