Comments (10)
@spassarop - Can you answer this question? Thx
from antisamy.
Regarding var
you can add a new <regexp>
tag based on others such as "cssOnsiteUri", placed inside <common-regexps>
section of your policy file. Then you can reference it on any property that applies, the same as the "cssOnsiteUri" example. A valid regexp for that could be var\(--\w+(-\w+)*\)
, be as strict as you need to, preferably.
However, I'm not sure Batik-CSS (AntiSamy's CSS parser) supports CSS variables. In that case, the var
usage may be useless because the output won't contain any surviving variables. To confirm this I need to do some deep debugging first, but that is my preliminary answer.
from antisamy.
Thank you for your response, I am using CssParser instead of BatikCSS, but I am not sure whether that supports CSS variables too.
from antisamy.
from antisamy.
I did the heavy debugging. The org.apache.batik.css.parser.Scanner
class has it's own criteria when it encounters hyphens and it does not contemplate the existence of CSS variables. The logic automatically expects other character combination following a hyphen and the parser gets messed up internally, spitting CSS nothing like the original with empty stuff.
To sum up, the Batik-CSS dependency does not support CSS variables and AntiSamy cannot work with them as it never gets to see them in the internal parser's output. I guess this would result in wontfix
because it is far from what we can achieve by coding, correct me if I'm wrong @davewichers.
from antisamy.
@spassarop - you are the expert on these internal details so I trust your analysis. I think our only real option here, if you want to investigate is replacing the CSS parser with something newer, more transparent, more open, but that's up to you. There are a number of won't fix, like this that are all stuck because of Batik. If you decide to research, open an issue like: "Investigate replacing Batik CSS". And you can link that ticket to all the won't fixes caused by Batik doing things internally we can' see/change/affect. We should maybe even create that ticket even if you don't want to spend time actually investigating this, just to link all the related issues together.
from antisamy.
from antisamy.
Thank you @spassarop and @davewichers for the detailed clarification, even if we use some other css parser instead of batik css, is there any possibilities on supporting custom css variables in antisamy. My organisation is using CSS Parser 0.9.20. I don't know whether it has support or not, but will I can't work with the variables in that either.
from antisamy.
I can't discard the possibility that there is a working parser with that feature. But as Dave wrote, that needs intense research to find out if all current features are available. Also if such library exists, a strong refactoring and testing process must be carried on because the current code is tightly coupled with Batik-CSS.
Anyway, until that happens, there is no way AntiSamy can be adapted to support CSS variables.
from antisamy.
I'm linking the new issue #293 as suggested.
from antisamy.
Related Issues (20)
- Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages HOT 7
- Commit details for CVE-2022-28366? HOT 4
- Remove all deprecated APIs/features in prep for 1.7.0 release HOT 1
- ASHTMLSerializer uses deprecated HTMLSerializer. Replace with TrAX.
- AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering HOT 6
- AntiSamy not detecting XSS for anchor tag HOT 10
- CssHandler test case failure on Windows HOT 5
- Incorrect 'Contributing' link on OWASP wiki page HOT 1
- Javadoc cleanup
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.