Quote-dependent loss of fonts from font-family style about java-html-sanitizer HOT 6 CLOSED

It looks like "sans-serif" is a special case since it is not 
isNonEmptyAsciiAlnum. When it is not quoted, it is picked up as a generic font. 
When quoted, it fails the !isNonEmptyAsciiAlnumSpaceSeparated test.

I think this would work (some tests fail, because the change causes fonts that 
are just single alphanum are output without spaces). The real differences is 
that CssGrammar.cssContent(token) is called for all tokens, so that test 
against the GENERIC_FONT_FAMILIES is done with the de-quoted token.

  private static boolean sanitizeFontFamilyOnto(
      List<String> tokens, StringBuilder out) {

    int n = tokens.size();
    if (n == 0) { return false; }
    if (out.length() != 0) { out.append(','); }
    if (n == 1) {
      String token = tokens.get(0);
      token = CssGrammar.cssContent(token).trim();
     if (isNonEmptyAsciiAlnumSpaceSeparated(token)) {
        if (isNonEmptyAsciiAlnum(token))
            out.append(token);
        else
            out.append('"').append(token).append('"');
        return true;
     }
      token = Strings.toLowerCase(token);
      if (GENERIC_FONT_FAMILIES.contains(token)) {
        out.append(token);
        return true;
      }
      return false;
    }
    // Quote space separated words so that they are not confused with user-agent
    // extensions like expression(...) or -webkit-small-control.
    out.append('"');
    for (int i = 0; i < n; ++i) {
      String token = tokens.get(i);
      if (!isNonEmptyAsciiAlnum(token)) { return false; }
      if (i != 0) { out.append(' '); }
      out.append(token);
    }
    out.append('"');
    return true;
  }

Strange.

StylingPolicyTest.java circa line 100 has tests for sans-serif but none for 
serif.

Will add tests for serif and probably move the set check before 
isNonEmptyAsciiAlnumSpaceSeparated.

Ok.  It seems I misunderstood the bug.  The problem occurs when "sans-serif" is 
quoted, and "mso-fareast-language:EN-GB" is consistently dropped.

My understanding is that when sans-serif is quoted, the browser should look for 
a font named "sans-serif", but not treat it as a generic font per the last 
sentence quoted from http://www.w3.org/TR/css3-fonts/ :

    <generic-family>
    The following generic family keywords are defined: ‘serif’, ‘sans-serif’, ‘cursive’, ‘fantasy’,
    and ‘monospace’. These keywords can be used as a general fallback mechanism when an
    author's desired font choices are not available. As keywords, they must not be quoted.

I am rejecting font family names with dashes since I found no widely available 
web fonts that are not browser specific extensions and thus possible vectors 
for trusted path violations.  I could white-list some dashed names, but don't 
see why "sans-serif" should be on that white list.

The double-quoted "sans-serif" comes from pasting MS Excel content into a rich 
text editor or MS Outlook, then emailing. Here is an example:

<span style='font-family:"Arial","sans-serif";mso-fareast-language:EN-GB'>

Likely, the author of the code that produced this has not read the standard as 
well as you have (neither had I). Browsers (tested with Chrome) seem to treat 
"sans-serif" the same as the unquoted keyword.

In practice, this should not be a big deal, since in most cases people chose 
main fonts that are widely available. Now that I understand better based on 
your explanation, I agree that it's better to be strict, ie this is not a 
defect.

Thanks!

Issue 27 has been merged into this issue.