search

y1z2g3 / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

CSS RGB values containing percentages throws Exception #139

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1.  Create policy that allows percentages for CSS RGB values 
2.  Parse HTML/CSS input that contains percentages in RGB values, example 
rgb(30.5%, 3.2%, 50.6%)

What is the expected output? What do you see instead?
AntiSamy should allow based on policy, instead an Exception is thrown

java.lang.IllegalStateException
    at org.apache.batik.css.parser.CSSLexicalUnit.getIntegerValue(CSSLexicalUnit.java:119)
    at org.owasp.validator.css.CssValidator.lexicalValueToString(CssValidator.java:389)
    at org.owasp.validator.css.CssValidator.isValidProperty(CssValidator.java:101)
    at org.owasp.validator.css.CssHandler.property(CssHandler.java:488)
    at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:885)
    at org.apache.batik.css.parser.Parser.parseStyleDeclarationInternal(Parser.java:269)
    at org.apache.batik.css.parser.Parser.parseStyleDeclaration(Parser.java:1694)
    at org.owasp.validator.css.CssScanner.scanInlineStyle(CssScanner.java:216)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:568)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.recursiveValidateTag(AntiSamyDOMScanner.java:738)
    at org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:153)
    at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:113)

What version of the product are you using? On what operating system?

1.4.4 on Linux

Please provide any additional information below.

In the case statement for LexicalUnit.SAC_RGBCOLOR in the lexicalValueToString 
method in CSSValidator assumes the values are always integers.  It should 
probably check if they are percentages, and return the correct string 
accordingly.

This the statement I'm referring to:

CSSValidator.java

...
    public String lexicalValueToString(LexicalUnit lu) {
            ....
        case LexicalUnit.SAC_RGBCOLOR:
            // this is a rgb encoded color
            StringBuffer sb = new StringBuffer("rgb(");
            LexicalUnit param = lu.getParameters();
            sb.append(param.getIntegerValue()); // R value
            sb.append(',');
            param = param.getNextLexicalUnit(); // comma
            param = param.getNextLexicalUnit(); // G value
            sb.append(param.getIntegerValue());
            sb.append(',');
            param = param.getNextLexicalUnit(); // comma
            param = param.getNextLexicalUnit(); // B value
            sb.append(param.getIntegerValue());
            sb.append(')');

            return sb.toString();
             ....

Original issue reported on code.google.com by wvinc...@gmail.com on 9 Aug 2012 at 9:16

GoogleCodeExporter commented 8 years ago 
having the same issue, since TinyMCE is using this CSS RGB style with percentage

Original comment by sepp.re...@gmail.com on 8 Oct 2014 at 8:05