xiebiao / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

incorrect handling on single quoted(contains space) inline style property #157

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. case 1
input html : <span style="font-family:'lucida console'">hello</span>
rule : 
<property name="font-family" description="">
    <category-list>
        <category value="visual"/>
    </category-list>
    <!-- allowing only generic font families -->
    <literal-list>
    <literal value="&apos;lucida console&apos;"/>
    </literal-list>
</property>

1. case 2
input html : <span style="font-family:'lucida console'">hello</span>
rule : 
<property name="font-family" description="">
    <category-list>
        <category value="visual"/>
    </category-list>
    <!-- allowing only generic font families -->
    <literal-list>
        <literal value="&quot;lucida console&quot;"/>
    </literal-list>
</property>

What is the expected output? What do you see instead?

1. case 1
expected : <span style="font-fmaily: 'lucida console';">hello</span>
instead  : <span style="">hello</span>

2. case 2
expected : <span style="font-fmaily: 'lucida console';">hello</span>
instead  : <span style="font-family: &quot;lucida console&quot;;">hello</span>

What version of the product are you using? On what operating system?
product : antisamy 1.4.4
os      :Windows 7 x64 Enterprise

Please provide any additional information below.

inline style property that contain space must be single quoted. double quoted 
property causes invalid tag.

org.owasp.validator.css.CssValidator.lexicalValueToString should be recognize 
inline style or non inline style like below.

        case LexicalUnit.SAC_IDENT:
            // just a string/identifier
            String stringValue = lu.getStringValue();

            if (stringValue.indexOf(" ") != -1) {
                //inline style property value that contain space must be single qouted
                if (isInline) {
                    stringValue = "'" + stringValue + "'";
                } else { //non inline css property value that contain space must be double qouted
                    stringValue = "\"" + stringValue + "\"";
                }
            }
            return stringValue;

Original issue reported on code.google.com by lemonf...@gmail.com on 13 Mar 2013 at 6:31