gavioto / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Incorrect encoding on Embed/internal style property value #192

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
CASE 1: 
INPUT: 
<style>
 .spancls{
   font-family: 'Courier New';
} 
</style>
<span class="spancls"> Hello span</span

CASE 2:

INPUT: 
<style>
 .spancls{
   font-family: "Courier New";
} 
</style>
<span class="spancls"> Hello span</span

CASE 3:

INPUT :
@charset "utf-8";
/* CSS Document */
#Toppanel a,#Toppanel span,#Toppanel div {
font-family: 'Lobster', cursive !important;
}

browsers will not interpret .

What is the expected output? What do you see instead?

CASE 1: 

EXPECTED OUTPUT
<style>
 .spancls{
   font-family: 'Courier New';
} 
</style>
<span class="spancls"> Hello span</span

INSTEAD
<style>
*.spancls {
    font-family: &quot;Courier New&quot;;  
}
</style>
<span class="spancls"> Hello span</span>  

single quoted contained space values in embed/internal style is enclosed by 
encoded double quote value    -  browsers will not interpret

CASE 2:

EXPECTED OUTPUT: 
<style>
 .spancls{
   font-family: "Courier New";
} 
</style>
<span class="spancls"> Hello span</span

INSTEAD:
<style>
*.spancls {
    font-family: &quot;Courier New&quot;;  
}
</style>
<span class="spancls"> Hello span</span>  

Double quote is replaced by encoded double quote value    -  browsers will not 
interpret

CASE 3:

EXPECTED OUTPUT: 
@charset "utf-8";
/* CSS Document */
#Toppanel a,#Toppanel span,#Toppanel div {
font-family: 'Lobster', cursive !important;
}

INSTEAD:
@charset &quot;utf-8&quot;;
/* CSS Document */
#Toppanel a,#Toppanel span,#Toppanel div {
font-family: 'Lobster', cursive !important;
}

browsers will not interpret .

What version of the product are you using? On what operating system?

product : antisamy 1.5.3
java : "1.6.0_24"
OS : ubuntu 12.04_LTS

Please provide any additional information below.

Does the solution of 
https://code.google.com/p/owaspantisamy/issues/detail?id=157&can=1&q=inline%20st
yle solve CASE 1 & 2
How to solve CASE 3 ?

Original issue reported on code.google.com by begam.as...@gmail.com on 13 Jul 2015 at 5:49