search

rjatkins / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

unwanted whitespace chars in output #56

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
this issue refers to this mailing-list thread: 
https://lists.owasp.org/pipermail/owasp-antisamy/2009-October/000273.html

* INPUT:
<SPAN style='font-weight: bold;'>Hello World!</SPAN>

* OUTPUT:
<span style="   font-weight: bold;
">Hello World!</span>

notes: 
 * after 'style="' there is a tab-chars \t
 * after 'bold;' there is a linebreak \n
 * the very last character (after '</span>') is also a linebreak \n

* expected: the output should not include any of those whitespace chars.

* Version info:
  * antisamy version: antisammy-1.2.jar
  * Java version 1.6
  * OS: Windows XP

* even if formatOutput is false, these whitespace characters are in the output

* relevant policy settings:
    <directives>
        <directive name="omitXmlDeclaration" value="true"/>
        <directive name="omitDoctypeDeclaration" value="true"/>
        <directive name="maxInputSize" value="5000"/>
        <directive name="useXHTML" value="true"/>
        <directive name="formatOutput" value="true"/>

        <directive name="embedStyleSheets" value="false"/>
    </directives>

        <regexp name="anything" value=".*"/>

        <tag name="span" action="validate">
            <attribute name="style">
                <regexp-list>
                    <regexp name="anything"/>
                </regexp-list>
            </attribute>
        </tag>

        <property name="font-weight" default="normal">
            <category-list>
                <category value="visual"/>
            </category-list>
            <literal-list>
                <literal value="normal"/>
                <literal value="bold"/>
            </literal-list>
        </property>

Original issue reported on code.google.com by martin.t...@gmail.com on 16 Oct 2009 at 2:40

GoogleCodeExporter commented 9 years ago 
I couldn't reproduce this issue. Maybe you should try the 1.3 or the latest 1.4
builds. Here is my test case which passes:

try {
 String s = "<SPAN style='font-weight: bold;'>Hello World!</SPAN>";
 String expected = "<span style=\"font-weight: bold;\">Hello World!</span>";

 CleanResults cr = as.scan(s,policy);
 String s2 = cr.getCleanHTML();

 System.out.println("Cleaned string = " + s2);

 assertEquals(expected,s2);

} catch (Exception e) {
 fail(e.getMessage());
}

Original comment by arshan.d...@gmail.com on 24 Nov 2009 at 3:22

GoogleCodeExporter commented 9 years ago 
I can confirm that this works now as expected with version 1.3

Original comment by martin.t...@gmail.com on 4 Dec 2009 at 10:04