search

rjatkins / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

In the policy file, giving tag or attribute names any caps causes them to get filtered #7

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I presume this is a bug since I don't see it stated anywhere that
lower-case names are required.

What steps will reproduce the problem?
1. Add the following rule:

        <tag name="b" action="validate">
            <attribute name="id">
                <literal-list>
                    <literal value="feh"/>
                </literal-list>
            </attribute>
            <attribute name="fehOnly">
                <literal-list>
                    <literal value="feh"/>
                </literal-list>
            </attribute>
        </tag>

2. Try it on the following text:

<b id="feh" fehOnly="feh" badAtt="poison">woot</b>

3. Get the following result:

***** DIRTY HTML *****
<b id="feh" fehOnly="feh" badAtt="poison">woot</b>
***** CLEAN HTML *****
<b id="feh">woot</b>

***** ERRORS *****
The <b>badatt</b> attribute of the <b>b</b> tag has been removed for
security reasons. This removal should not affect the display of the HTML
submitted.
The <b>fehonly</b> attribute of the <b>b</b> tag has been removed for
security reasons. This removal should not affect the display of the HTML
submitted.

What is the expected output? What do you see instead?

Change the attribute name ("fehOnly" --> "fehonly"):

<attribute name="fehonly">

And you get the expected output:

***** DIRTY HTML *****
<b id="feh" fehOnly="feh" badAtt="poison">woot</b>
***** CLEAN HTML *****
<b fehonly="feh" id="feh">woot</b>

***** ERRORS *****
The <b>badatt</b> attribute of the <b>b</b> tag has been removed for
security reasons. This removal should not affect the display of the HTML
submitted.

What version of the product are you using? On what operating system?

v1.1.1, MacOS Tiger

Please provide any additional information below.

This happens with tag names, too.

Original issue reported on code.google.com by thedownw...@gmail.com on 10 May 2008 at 1:27

GoogleCodeExporter commented 9 years ago 
Fixed. Lookups are case-insensitive, but this means that your policy file must 
all
contain lowercase values.

Thanks!

Original comment by arshan.d...@gmail.com on 25 May 2008 at 1:28