Reputation: 237
Embedded CSS with owasp-java-html-sanitizer
I am working on a project where we are allowing users to submit html/css and we will create a pdf out of that code. We have the code working, but I would like to sanitize the data that is coming in to prevent any attacks. There is a method to sanitize the inline css through: http://javadox.com/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/r223/javadoc/org/owasp/html/HtmlPolicyBuilder.html#allowStyling(org.owasp.html.CssSchema)
But is there anything that can be used to check anything within a style tag? I do realize that embedded css may be too difficult to check, but I couldn't find anything in my google searches on this topic. The CssSchema seems to check every property I need, I just cannot apply it to what is between the style tags?
Upvotes: 2
Views: 1223
Answers (1)
Reputation: 237
The answer to my question was use AntiSamy. http://atetric.com/atetric/javadoc/org.owasp.antisamy/antisamy/1.5.3/org/owasp/validator/css/CssScanner.html This class gave me everything I need. It allows me to scan external, embedded and inline css. I am currently working on the inline, because I think I have to pull out each inline element individually. I did have to strip out the Style tags in order to use CssScanner with scanStyleSheet, but it worked.
Upvotes: 1
Related Questions
- OWASP sanitizer generates unexpected results
- How to allow specific characters with OWASP HTML Sanitizer?
- How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer
- OWASP java-html-sanitizer - policy for unclosed tags
- OWASP HTML Sanitizer cleans comments
- How to allow embedded images when sanitizing html with OWASP Java HTML Sanitizer
- XSS - OWASP HTML Sanitizer Filters <form>
- Java: Owasp AntiSamy vs Owasp-java-html-sanitize
- OWASP html sanitizer - Why does it unescape some entities?
- Sanitize CSS Using Java