sanitizer bypasses all css properties when allowStyling() throws an error on adding an unsupported css property to the whitelist

156 views
Skip to first unread message

Rasmita Mahapatra

unread,
May 29, 2018, 6:29:50 AM5/29/18
to OWASP Java HTML Sanitizer Support
 private static final CssSchema ADDITIONAL_DEFAULT_CSS = CssSchema.withProperties(ImmutableSet.of(
            "float",
            "display"
    ));
HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder()
htmlPolicyBuilder.allowStyling(CssSchema.union(CssSchema.DEFAULT, ADDITIONAL_DEFAULT_CSS, CssSchema.withProperties(addlCssWhiteList)));
addlCssWhiteList contains two properties "z-index" and "flex".

In this case allowStyling() throws IllegalArgumentException as "flex" is not present in the CssSchema DEFINITION. Post this what is noticed is 
Sanitizer doesn't filter any of the css properties present in the HTML on encountering an exception.

Please let me know if this is bug in the sanitizer.

Thanks
Rasmita

Mike Samuel

unread,
May 29, 2018, 11:35:12 AM5/29/18
to OWASP Java HTML Sanitizer Support
So
  ImmutableSet<String> addlCssWhiteLIst = ImmutableSet.of("z-index", "flex");
?

Do you have a stacktrace?
AFAICT the second call to CssSchema.withProperties should throw IllegalArgumentException so control should never enter allowStyling.

 
Please let me know if this is bug in the sanitizer.

Thanks
Rasmita

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.

Rasmita Mahapatra

unread,
May 30, 2018, 3:10:44 AM5/30/18
to OWASP Java HTML Sanitizer Support



On Tuesday, May 29, 2018 at 10:05:12 PM UTC+5:30, Mike Samuel wrote:


On Tue, May 29, 2018 at 7:29 AM, Rasmita Mahapatra <[email protected]> wrote:
 private static final CssSchema ADDITIONAL_DEFAULT_CSS = CssSchema.withProperties(ImmutableSet.of(
            "float",
            "display"
    ));
HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder()
htmlPolicyBuilder.allowStyling(CssSchema.union(CssSchema.DEFAULT, ADDITIONAL_DEFAULT_CSS, CssSchema.withProperties(addlCssWhiteList)));
addlCssWhiteList contains two properties "z-index" and "flex".

In this case allowStyling() throws IllegalArgumentException as "flex" is not present in the CssSchema DEFINITION. Post this what is noticed is 
Sanitizer doesn't filter any of the css properties present in the HTML on encountering an exception.

So
  ImmutableSet<String> addlCssWhiteLIst = ImmutableSet.of("z-index", "flex");
?
Its like
List<String> addlCssWhiteList = getConfiguredList("z-index, flex"); 

Do you have a stacktrace?
AFAICT the second call to CssSchema.withProperties should throw IllegalArgumentException so control should never enter allowStyling.

Error while allowing addition css one of the property is not supported: flex-wrap 
java.lang.IllegalArgumentException: flex-wrap
at org.owasp.html.CssSchema.withProperties(CssSchema.java:97) ~[owasp-java-html-sanitizer-20171016.1.jar:?]
at com.sun.comms.client.util.HTMLSanitizer.init(Unknown Source)
at com.sun.comms.client.util.HTMLSanitizer.<clinit>(Unknown Source) 
Thanks
Rasmita
Reply all
Reply to author
Forward
0 new messages