Comments (9)
@spassarop - Can you review. I have no background on this.
from antisamy.
Apparently the ExternalCssScanner
only implementation is parseImportedStylesheets
method, which is not implemented in CssScanner
class (empty code, just a comment saying that ExternalCssScanner
implements that). Also there is no other CssScanner
extension, so currently it doesn't make any sense to have two scanners.
The only difference is that by policy you can parse imported stylesheets or not, and that is when the ExternalCssScanner
should come into play. As a scanner, you parse the imported sheets or not, that's it. But currently it never does. I guess I'll change this logic to make things right.
from antisamy.
Ok, so I checked this by debugging. Many things to note:
- @LiuXing-R about your test:
a.@import
syntax requires ending the rule with;
.
b. The CSS file of that URL has a size over 200000 which is the maximum specified by the default policy.
c. The policy must enable (by directive) imported CSS parsing, just in case you didn't enable it.
Although regarding this considerations, the root problem persists because of how it's programmed. - I moved the
ExternalCssScanner
logic toCssScanner
and used a boolean in the constructor to know if parse imported CSS or not. - By spec,
@import
also must be at the beginning, didn't know that, but it came up testing. Batik-CSS respects this. - Although it now works, the imported styles are added after other styles that were under the import rule, so order is changed. Not sure if that makes sense.
- Results for some CSS URLs were very short, like parsing was stopped a few lines from the start. That may be because of two reasons or a combination of them: my tested CSS is not so standard, or Batik-CSS parser is pretty bad/outdated. Whatever the reason is, if there is an exception, parsing stops. Errors are not logged because there is no error handler set in
CssScanner
, unlikeparser.setDocumentHandler(handler)
for overriding some parsing methods. So for now there is no explanation about why it fails but you can more or less know because you have results until some imported line.
I'll make a PR that everyone can review and make any suggestions.
from antisamy.
Enable embedStyleSheets
, and @import is at the beginning, this is no problem, I set it like this,
But what I expect is to keep these styles:
h1 {font: 15pt "Arial"; color: blue;}
p {font: 10pt "Arial"; Color: black;}
from antisamy.
Hi,@spassarop
There is still a problem to be aware of here.
The order of @import
and h1
, the order between multiple @imports
, they have priority, the previous rules will be overwritten by the latter, so AntiSamy cannot change the order.
from antisamy.
You're right, I mentioned before that AntiSamy adds the imported style after. It first parses all styles, gathers URLs in the process, requests each style and parses it adding to the previous result. We should see if it can be done easily or if parsing results cannot be rearranged by design. However, this is a different issue, the original one was that import was not working at all. @davewichers, you think we should close+merge this here an open a new issue for that?
from antisamy.
Whatever you prefer. I don't care either way.
from antisamy.
Let's open a new one then.
from antisamy.
@LiuXing-R go check #113, it's OK to me from what I've tested.
from antisamy.
Related Issues (20)
- Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages HOT 7
- Commit details for CVE-2022-28366? HOT 4
- Remove all deprecated APIs/features in prep for 1.7.0 release HOT 1
- ASHTMLSerializer uses deprecated HTMLSerializer. Replace with TrAX.
- AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering HOT 6
- AntiSamy not detecting XSS for anchor tag HOT 10
- CssHandler test case failure on Windows HOT 5
- Incorrect 'Contributing' link on OWASP wiki page HOT 1
- Javadoc cleanup
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.