StylingPolicy.java revision 1af054935066ae9db1476bef96ff224410edb1f4
1// Copyright (c) 2011, Mike Samuel 2// All rights reserved. 3// 4// Redistribution and use in source and binary forms, with or without 5// modification, are permitted provided that the following conditions 6// are met: 7// 8// Redistributions of source code must retain the above copyright 9// notice, this list of conditions and the following disclaimer. 10// Redistributions in binary form must reproduce the above copyright 11// notice, this list of conditions and the following disclaimer in the 12// documentation and/or other materials provided with the distribution. 13// Neither the name of the OWASP nor the names of its contributors may 14// be used to endorse or promote products derived from this software 15// without specific prior written permission. 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27// POSSIBILITY OF SUCH DAMAGE. 28 29package org.owasp.html; 30 31import java.util.List; 32 33import javax.annotation.Nullable; 34 35import com.google.common.annotations.VisibleForTesting; 36import com.google.common.collect.Lists; 37 38/** 39 * An HTML sanitizer policy that tries to preserve simple CSS by white-listing 40 * property values and splitting combo properties into multiple more specific 41 * ones to reduce the attack-surface. 42 */ 43@TCB 44final class StylingPolicy implements AttributePolicy { 45 46 private final CssSchema cssSchema; 47 48 StylingPolicy(CssSchema cssSchema) { 49 this.cssSchema = cssSchema; 50 } 51 52 public @Nullable String apply( 53 String elementName, String attributeName, String value) { 54 return value != null ? sanitizeCssProperties(value) : null; 55 } 56 57 /** 58 * Lossy filtering of CSS properties that allows textual styling that affects 59 * layout, but does not allow breaking out of a clipping region, absolute 60 * positioning, image loading, tab index changes, or code execution. 61 * 62 * @return A sanitized version of the input. 63 */ 64 @VisibleForTesting 65 String sanitizeCssProperties(String style) { 66 final StringBuilder sanitizedCss = new StringBuilder(); 67 CssGrammar.parsePropertyGroup(style, new CssGrammar.PropertyHandler() { 68 CssSchema.Property cssProperty = CssSchema.DISALLOWED; 69 List<CssSchema.Property> cssProperties = null; 70 int propertyStart = 0; 71 boolean hasTokens; 72 boolean inQuotedIdents; 73 74 private void emitToken(String token) { 75 closeQuotedIdents(); 76 if (hasTokens) { sanitizedCss.append(' '); } 77 sanitizedCss.append(token); 78 hasTokens = true; 79 } 80 81 private void closeQuotedIdents() { 82 if (inQuotedIdents) { 83 sanitizedCss.append('\''); 84 inQuotedIdents = false; 85 } 86 } 87 88 public void url(String token) { 89 closeQuotedIdents(); 90 //if ((schema.bits & CssSchema.BIT_URL) != 0) { 91 // TODO: sanitize the URL. 92 //} 93 } 94 95 public void startProperty(String propertyName) { 96 if (cssProperties != null) { cssProperties.clear(); } 97 cssProperty = cssSchema.forKey(propertyName); 98 hasTokens = false; 99 propertyStart = sanitizedCss.length(); 100 if (sanitizedCss.length() != 0) { 101 sanitizedCss.append(';'); 102 } 103 sanitizedCss.append(propertyName).append(':'); 104 } 105 106 public void startFunction(String token) { 107 closeQuotedIdents(); 108 if (cssProperties == null) { cssProperties = Lists.newArrayList(); } 109 cssProperties.add(cssProperty); 110 token = Strings.toLowerCase(token); 111 String key = cssProperty.fnKeys.get(token); 112 cssProperty = key != null ? cssSchema.forKey(key) : CssSchema.DISALLOWED; 113 if (cssProperty != CssSchema.DISALLOWED) { 114 emitToken(token); 115 } 116 } 117 118 public void quotedString(String token) { 119 closeQuotedIdents(); 120 int meaning = 121 cssProperty.bits & (CssSchema.BIT_UNRESERVED_WORD | CssSchema.BIT_URL); 122 if ((meaning & (meaning - 1)) == 0) { // meaning is unambiguous 123 if (meaning == CssSchema.BIT_UNRESERVED_WORD 124 && token.length() > 2 125 && isAlphanumericOrSpace(token, 1, token.length() - 1)) { 126 emitToken(Strings.toLowerCase(token)); 127 } else if (meaning == CssSchema.BIT_URL) { 128 // url("url(" + token + ")"); // TODO: %-encode properly 129 } 130 } 131 } 132 133 public void quantity(String token) { 134 int test = token.startsWith("-") 135 ? CssSchema.BIT_NEGATIVE : CssSchema.BIT_QUANTITY; 136 if ((cssProperty.bits & test) != 0 137 // font-weight uses 100, 200, 300, etc. 138 || cssProperty.literals.contains(token)) { 139 emitToken(token); 140 } 141 } 142 143 public void punctuation(String token) { 144 closeQuotedIdents(); 145 if (cssProperty.literals.contains(token)) { 146 emitToken(token); 147 } 148 } 149 150 private static final int IDENT_TO_STRING = 151 CssSchema.BIT_UNRESERVED_WORD | CssSchema.BIT_STRING; 152 public void identifier(String token) { 153 token = Strings.toLowerCase(token); 154 if (cssProperty.literals.contains(token)) { 155 emitToken(token); 156 } else if ((cssProperty.bits & IDENT_TO_STRING) == IDENT_TO_STRING) { 157 if (!inQuotedIdents) { 158 inQuotedIdents = true; 159 if (hasTokens) { sanitizedCss.append(' '); } 160 sanitizedCss.append('\''); 161 hasTokens = true; 162 } else { 163 sanitizedCss.append(' '); 164 } 165 sanitizedCss.append(Strings.toLowerCase(token)); 166 } 167 } 168 169 public void hash(String token) { 170 closeQuotedIdents(); 171 if ((cssProperty.bits & CssSchema.BIT_HASH_VALUE) != 0) { 172 emitToken(Strings.toLowerCase(token)); 173 } 174 } 175 176 public void endProperty() { 177 if (!hasTokens) { 178 sanitizedCss.setLength(propertyStart); 179 } else { 180 closeQuotedIdents(); 181 } 182 } 183 184 public void endFunction(String token) { 185 if (cssProperty != CssSchema.DISALLOWED) { emitToken(")"); } 186 cssProperty = cssProperties.remove(cssProperties.size() - 1); 187 } 188 }); 189 return sanitizedCss.length() == 0 ? null : sanitizedCss.toString(); 190 } 191 192 private static boolean isAlphanumericOrSpace( 193 String token, int start, int end) { 194 for (int i = start; i < end; ++i) { 195 char ch = token.charAt(i); 196 if (ch <= 0x20) { 197 if (ch != '\t' && ch != ' ') { 198 return false; 199 } 200 } else { 201 int chLower = ch | 32; 202 if (!(('0' <= chLower && chLower <= '9') 203 || ('a' <= chLower && chLower <= 'z'))) { 204 return false; 205 } 206 } 207 } 208 return true; 209 } 210} 211