java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

font-family sanitization issue

Open jurajvalkucak opened this issue 3 years ago • 1 comments

Hi,

looks like there's issue with CSS font-family sanitization, when the input is first sanitized it adds quotes to font-families. When the sanitized content is sanitized again it removes some font-families and leaving blanks separated with commas, causing CSS font-family to be invalid.

Input to sanitize: <span style="font-family:WordVisi_MSFontService, Algerian, Algerian_EmbeddedFont, Algerian_MSFontService, sans-serif;">TEXT</span>

Sanitize input (adding quotes to font-families and lower case): <span style="font-family:&#39;wordvisi_msfontservice&#39; , &#39;algerian&#39; , &#39;algerian_embeddedfont&#39; , &#39;algerian_msfontservice&#39; , sans-serif">TEXT</span>

Sanitize again (issue removing font-families and adding commas, causing invalid font-family tag): <span style="font-family:, &#39;algerian&#39; , , , sans-serif">TEXT</span>

The issue is caused if policy is configured like below: new HtmlPolicyBuilder().allowStyling(CssSchema.DEFAULT)

Thanks, Juraj

jurajvalkucak avatar Jul 13 '21 11:07 jurajvalkucak

I don't think we guarantee that sanitization is idempotent, but this looks like a bug. The problem is probably somewhere in StylingPolicy and probably has to do with the underscores in the names that get removed.

mikesamuel avatar Oct 18 '21 15:10 mikesamuel