What steps will reproduce the problem?
Execute this test case:
@Test
public void testCSSBug() throws ScanException, PolicyException {
String test = "<span style=\"color: rgb(10%,10%,80%)\">foo</span>";
CleanResults results_sax = as.scan(test, policy, AntiSamy.SAX);
CleanResults results_dom = as.scan(test, policy, AntiSamy.DOM);
assertEquals( results_sax.getCleanHTML(), results_dom.getCleanHTML());
assertEquals("<span>foo</span>", results_dom.getCleanHTML());
}
What is the expected output? What do you see instead?
I expect the color attribute verification to fail because my policy
configuration doesn't allow this syntax; and then the empty style attribute to
be removed.
Instead, the scan fails with the following stack trace:
testCSSBug(org.owasp.validator.html.test.AntiSamyTest) Time elapsed: 0.019 sec
<<< ERROR!
org.owasp.validator.html.ScanException:
javax.xml.transform.TransformerException: java.lang.IllegalStateException
at org.apache.batik.css.parser.CSSLexicalUnit.getIntegerValue(CSSLexicalUnit.java:119)
at org.owasp.validator.css.CssValidator.lexicalValueToString(CssValidator.java:379)
at org.owasp.validator.css.CssValidator.isValidProperty(CssValidator.java:98)
at org.owasp.validator.css.CssHandler.property(CssHandler.java:484)
at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:885)
at org.apache.batik.css.parser.Parser.parseStyleDeclarationInternal(Parser.java:269)
at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:1694)
at org.owasp.validator.css.CssScanner.scanInlineStyle(CssScanner.java:202)
at org.owasp.validator.html.scan.MagicSAXFilter.startElement(MagicSAXFilter.java:296)
at org.cyberneko.html.HTMLTagBalancer.callStartElement(HTMLTagBalancer.java:1141)
at org.cyberneko.html.HTMLTagBalancer.startElement(HTMLTagBalancer.java:746)
at org.cyberneko.html.HTMLScanner$ContentScanner.scanStartElement(HTMLScanner.java:2701)
at org.cyberneko.html.HTMLScanner$ContentScanner.scan(HTMLScanner.java:2057)
at org.cyberneko.html.HTMLScanner.scanDocument(HTMLScanner.java:917)
at org.cyberneko.html.HTMLConfiguration.parse(HTMLConfiguration.java:499)
at org.cyberneko.html.HTMLConfiguration.parse(HTMLConfiguration.java:452)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:663)
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:732)
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:345)
at org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:125)
at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:101)
at org.owasp.validator.html.test.AntiSamyTest.testCSSBug(AntiSamyTest.java:1262)
What version of the product are you using? On what operating system?
1.5.3, Linux.
Please provide any additional information below.
In CSS, a color can be specified many different ways. In this test case, we're
trying to use the RGB percentage values. From
http://www.w3schools.com/cssref/css_colors_legal.asp:
An RGB color value is specified with: rgb(red, green, blue). Each parameter
(red, green, and blue) defines the intensity of the color and can be an integer
between 0 and 255 or a percentage value (from 0% to 100%).
There may be similar failures with other color syntaxes as well, as the
org.owasp.validator.css.CssValidator seems to assume a specific syntax for
SAC_RGBCOLOR.
Original issue reported on code.google.com by danr...@gmail.com on 20 Jan 2015 at 7:33
Original issue reported on code.google.com by
danr...@gmail.comon 20 Jan 2015 at 7:33