Comments (6)
It looks like "sans-serif" is a special case since it is not
isNonEmptyAsciiAlnum. When it is not quoted, it is picked up as a generic font.
When quoted, it fails the !isNonEmptyAsciiAlnumSpaceSeparated test.
I think this would work (some tests fail, because the change causes fonts that
are just single alphanum are output without spaces). The real differences is
that CssGrammar.cssContent(token) is called for all tokens, so that test
against the GENERIC_FONT_FAMILIES is done with the de-quoted token.
private static boolean sanitizeFontFamilyOnto(
List<String> tokens, StringBuilder out) {
int n = tokens.size();
if (n == 0) { return false; }
if (out.length() != 0) { out.append(','); }
if (n == 1) {
String token = tokens.get(0);
token = CssGrammar.cssContent(token).trim();
if (isNonEmptyAsciiAlnumSpaceSeparated(token)) {
if (isNonEmptyAsciiAlnum(token))
out.append(token);
else
out.append('"').append(token).append('"');
return true;
}
token = Strings.toLowerCase(token);
if (GENERIC_FONT_FAMILIES.contains(token)) {
out.append(token);
return true;
}
return false;
}
// Quote space separated words so that they are not confused with user-agent
// extensions like expression(...) or -webkit-small-control.
out.append('"');
for (int i = 0; i < n; ++i) {
String token = tokens.get(i);
if (!isNonEmptyAsciiAlnum(token)) { return false; }
if (i != 0) { out.append(' '); }
out.append(token);
}
out.append('"');
return true;
}
Original comment by [email protected]
on 11 May 2013 at 11:07
from java-html-sanitizer.
Strange.
StylingPolicyTest.java circa line 100 has tests for sans-serif but none for
serif.
Will add tests for serif and probably move the set check before
isNonEmptyAsciiAlnumSpaceSeparated.
Original comment by [email protected]
on 12 May 2013 at 6:57
- Changed state: Accepted
from java-html-sanitizer.
Ok. It seems I misunderstood the bug. The problem occurs when "sans-serif" is
quoted, and "mso-fareast-language:EN-GB" is consistently dropped.
My understanding is that when sans-serif is quoted, the browser should look for
a font named "sans-serif", but not treat it as a generic font per the last
sentence quoted from http://www.w3.org/TR/css3-fonts/ :
<generic-family>
The following generic family keywords are defined: ‘serif’, ‘sans-serif’, ‘cursive’, ‘fantasy’,
and ‘monospace’. These keywords can be used as a general fallback mechanism when an
author's desired font choices are not available. As keywords, they must not be quoted.
I am rejecting font family names with dashes since I found no widely available
web fonts that are not browser specific extensions and thus possible vectors
for trusted path violations. I could white-list some dashed names, but don't
see why "sans-serif" should be on that white list.
Original comment by [email protected]
on 12 May 2013 at 7:08
- Changed state: New
from java-html-sanitizer.
The double-quoted "sans-serif" comes from pasting MS Excel content into a rich
text editor or MS Outlook, then emailing. Here is an example:
<span style='font-family:"Arial","sans-serif";mso-fareast-language:EN-GB'>
Likely, the author of the code that produced this has not read the standard as
well as you have (neither had I). Browsers (tested with Chrome) seem to treat
"sans-serif" the same as the unquoted keyword.
In practice, this should not be a big deal, since in most cases people chose
main fonts that are widely available. Now that I understand better based on
your explanation, I agree that it's better to be strict, ie this is not a
defect.
Thanks!
Original comment by [email protected]
on 12 May 2013 at 7:24
from java-html-sanitizer.
Original comment by [email protected]
on 12 May 2013 at 7:45
- Changed state: WontFix
from java-html-sanitizer.
Issue 27 has been merged into this issue.
Original comment by [email protected]
on 31 Mar 2014 at 5:04
from java-html-sanitizer.
Related Issues (20)
- xxx-large font-size is discarded when allowStyling() is used HOT 6
- Issue while disallowing attributes matching pattern
- Remove malicious code from svg content HOT 1
- Encoding malicious code instead of removing it HOT 4
- Index out of bound when empty list is passed to `allowAttributes(...).globally()`
- Guava removal breaks compatibility (with JDK9) HOT 13
- Html sanitizer repeatedly adds rel="noopener noreferrer" even if it's pre-exist HOT 1
- SECURITY.MD currently does not contain sensible information
- Sanitizing CSS HOT 3
- ClassNotFoundException: org.owasp.shim.Java8Shim after update to 20240325.1 HOT 5
- Release 20240325 cannot be transpiled HOT 1
- Issue in 2024x version with styles
- Question: What means Recognize foreign content syntactic context: mathml / svg?
- Issues encountered while processing <a> tags
- rel attributes are reordered in 20220608.1
- Possible to enforce having mutliple attributes on tag?
- On Java8Shim class, better to catch Throwable instead of Error
- text-align literals are outdated
- Please build the Java8/10 shim classes into the sanitizer JAR
- Issue with HTML Sanitization: Improper Handling of <div> Tag Inside <table>
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-html-sanitizer.