pscmsc1007 / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

CSS RGB values containing percentages throws Exception #140

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.  Create policy that allows percentages for CSS RGB values 
2.  Parse HTML/CSS input that contains percentages in RGB values, example 
rgb(30.5%, 3.2%, 50.6%)

What is the expected output? What do you see instead?
AntiSamy should allow based on policy, instead an Exception is thrown

java.lang.IllegalStateException
    at org.apache.batik.css.parser.CSSLexicalUnit.getIntegerValue(CSSLexicalUnit.java:119)
    at org.owasp.validator.css.CssValidator.lexicalValueToString(CssValidator.java:389)
    at org.owasp.validator.css.CssValidator.isValidProperty(CssValidator.java:101)
    at org.owasp.validator.css.CssHandler.property(CssHandler.java:488)
    at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:885)
    at org.apache.batik.css.parser.Parser.parseStyleDeclarationInternal(Parser.java:269)
    at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:1694)
    at org.owasp.validator.css.CssScanner.scanInlineStyle(CssScanner.java:216)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:568)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:153)
    at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:113)

What version of the product are you using? On what operating system?

1.4.4 on Linux

Please provide any additional information below.

In the case statement for LexicalUnit.SAC_RGBCOLOR in the lexicalValueToString 
method in CSSValidator assumes the values are always integers.  It should 
probably check if they are percentages, and return the correct string 
accordingly.

This the statement I'm referring to:

CSSValidator.java

...
    public String lexicalValueToString(LexicalUnit lu) {
            ....
        case LexicalUnit.SAC_RGBCOLOR:
            // this is a rgb encoded color
            StringBuffer sb = new StringBuffer("rgb(");
            LexicalUnit param = lu.getParameters();
            sb.append(param.getIntegerValue()); // R value
            sb.append(',');
            param = param.getNextLexicalUnit(); // comma
            param = param.getNextLexicalUnit(); // G value
            sb.append(param.getIntegerValue());
            sb.append(',');
            param = param.getNextLexicalUnit(); // comma
            param = param.getNextLexicalUnit(); // B value
            sb.append(param.getIntegerValue());
            sb.append(')');

            return sb.toString();
             ....

Original issue reported on code.google.com by wvinc...@gmail.com on 9 Aug 2012 at 9:25

GoogleCodeExporter commented 8 years ago
Sorry for duplicate... please junk this one

Original comment by wvinc...@gmail.com on 10 Aug 2012 at 11:12

GoogleCodeExporter commented 8 years ago

Original comment by arshan.d...@gmail.com on 17 Sep 2012 at 1:57