Re: [owasp-sanitizer] enable nesting of list elements...

[Mike Samuel]

2012/10/22 Jon Stevens <latc...@gmail.com>:
> first... thanks for an excellent project.
>
> second, it seems perfectly valid html like this:
>
> <ul>
> <li>asdf</li>
> <ul>
> <li>adfasdf</li>
> </ul>
> </ul>
>
> is getting sanitized into this:
>
> <ul>
> <li>asdf</li>
> </ul>
> <ul>
> <li>adfasdf</li>
> </ul>
>
> I've looked through the docs and the source (v117), but I can't seem to
> figure it out. Is there some way to keep the nesting?

This smells like a bug in

http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/main/org/owasp/html/TagBalancingHtmlStreamEventReceiver.java

which introduces end tags to prevent HTML from breaking out of tables
and lists used for formatting and from containers that establish a
viewport or clip region.

I'll look into it.

[James Manico]

I don't think UL where a LI should be is valid HTML. This is NOT valid
HTML I conject.

That embedded UL needs to be IN a LI tag like:

<ul>
<li> item 1 </li>
<li><UL> ... start new list here.

I could be wrong and often am. :)

--
Jim Manico
(808) 652-3805

On Oct 22, 2012, at 6:43 PM, Jon Stevens <latc...@gmail.com> wrote:

> first... thanks for an excellent project.
>
> second, it seems perfectly valid html like this:
>
> <ul>
> <li>asdf</li>
> <ul>
> <li>adfasdf</li>
> </ul>
> </ul>
>
> is getting sanitized into this:
>
> <ul>
> <li>asdf</li>
> </ul>
> <ul>
> <li>adfasdf</li>
> </ul>
>
> I've looked through the docs and the source (v117), but I can't seem to figure it out. Is there some way to keep the nesting?
>

> thanks,
>
> jon

[Jon Stevens]

Hi James,

Sorry to be the bearer of bad news, but as far as I'm reading per the specs, you're incorrect. 

ul is listed as part of the flow content, which is part of the content model for li.

http://www.whatwg.org/specs/web-apps/current-work/multipage/grouping-content.html#the-li-element

http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#element-dfn-content-model

http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#flow-content

To be clear, it also isn't the example of failure that I gave. ;-)

best,

jon

[James Manico]

According to the WC3 html validator, this is not legal HTML.

I get the error:

1.  Line 5, Column 6: document type does not allow element "UL" here; assuming missing "LI" start-tag

     <ul> 

   ✉

   
   

I still could be wrong :) try it yourself here:

http://validator.w3.org/#validate_by_input

--

Jim Manico

VP, Security Architecture

WhiteHat Security

(808) 652-3805

[Jon Stevens]

Hi Jim,

That error is because you didn't create a fully formed document. It doesn't like <ul> in whatever you gave it.

Try this:

<!doctype html>

<html>

<head>

<title>foo</title>

</head>

<body>

<ul><li>laskdfj<ul><li>laksdjf</ul></ul>

</body>

</html>

Note: I left off the </li> because technically, you don't need it. Adding it has no effect on the validation...

<!doctype html>

<html>

<head>

<title>foo</title>

</head>

<body>

<ul><li>laskdfj<ul><li>laksdjf</li></ul></li></ul>

</body>

</html>

best,

jon

[James Manico]

1.  Line 9, Column 6: Element ul not allowed as child of element ul in this context. (Suppressing further errors from this subtree.)

     <ul>

   Contexts in which element ul may be used:

   Where flow content is expected.

   Content model for element ul:

   Zero or more li elements.

   
   

The </li> matter. Add then back in and try the w3c validator.

--

Jim Manico

VP, Security Architecture

WhiteHat Security

(808) 652-3805

[James Manico]

Try this against the w3c validator. You cannot put a UL where a LI is
expected. The missing </li> 's matter.

<!doctype html>
<html>
<head>
<title>foo</title>
</head>
<body>
<ul>

<li>laskdfj</li>

<ul>
<li>laksdjf</li>
</ul>

</ul>
</body>
</html>

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

[Jon Stevens]

Ah, yes... that is indeed invalid, but oddly the browser parses it correctly.

What is generating it is http://imperavi.com/redactor/

jon

[Mike Samuel]

2012/10/23 Jon Stevens <latc...@gmail.com>

>
> Ah, yes... that is indeed invalid, but oddly the browser parses it
> correctly.
>
> What is generating it is http://imperavi.com/redactor/
>
> jon

Odd. My eyes completely glazed over when I saw that example before,
and I assumed it was a nested list.
<ul><li>...</li><li><ul>...</ul></li></ul>
instead of
<ul><li>...</li><ul>...</ul></ul>
Either way, the tag balancer is not following the HTML5 specified
error recovery steps: "assuming missing "LI" start-tag"

I've filed http://code.google.com/p/owasp-java-html-sanitizer/issues/detail?id=7
to track this issue.

[Jon Stevens]

I've also emailed the redactor folks to tell them they need to fix
their generator.

Thanks Mike,

jon

[James Manico]

Awesome John. This is still a good bug report and mandates some fixin'

Thank you good sir! :)

--
Jim Manico
(808) 652-3805

[Mike Samuel]

2012/10/23 James Manico <j...@manico.net>:

> Awesome John. This is still a good bug report and mandates some fixin'
>
> Thank you good sir! :)

Mandated fix is available at
http://code.google.com/p/owasp-java-html-sanitizer/source/detail?r=121
If trunk addresses your issue I'll cut a release.

[Jon Stevens]

wow, this is the first project i've seen in about 15 years that uses a
makefile to build a java project.

mind emailing me a .jar file and i'll test with it?

jon

[Jim Manico]

John,

I think you had a typo. I think you mean to say, thank you Mike Samuel for all your hard work in supporting this high performance professional-grade OWASP project?

;) Aloha,
Jim

[Jim Manico]

> Awesome John. This is still a good bug report and mandates some fixin'

That was a typo Mike.

I mean to say, "I think this is a good bug report and merits fixing if the project leader agrees"

Mandate--

;) Aloha,
Jim

[Jon Stevens]

I think you have a typo, my name is Jon, not John.

=)

jon

[Jim Manico]

I'm having a lot of typo problems today, Jon. =)

Aloha,

Jim