Skip to content

Commit 0199e7e

Browse files
committed
Support multiple children handling on style tags
1 parent 578d1f9 commit 0199e7e

File tree

3 files changed

+35
-9
lines changed

3 files changed

+35
-9
lines changed

Diff for: src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java

+20-8
Original file line numberDiff line numberDiff line change
@@ -407,10 +407,17 @@ private boolean processStyleTag(Element ele, Node parentNode) {
407407
CssScanner styleScanner = new CssScanner(policy, messages, policy.isEmbedStyleSheets());
408408

409409
try {
410-
Node firstChild = ele.getFirstChild();
411-
if (firstChild != null) {
410+
if (ele.getChildNodes().getLength() > 0) {
411+
String toScan = "";
412+
413+
for (int i = 0; i < ele.getChildNodes().getLength(); i++) {
414+
Node childNode = ele.getChildNodes().item(i);
415+
if (!toScan.isEmpty()){
416+
toScan += "\n";
417+
}
418+
toScan += childNode.getTextContent();
419+
}
412420

413-
String toScan = firstChild.getNodeValue();
414421
CleanResults cr = styleScanner.scanStyleSheet(toScan, policy.getMaxInputSize());
415422
errorMessages.addAll(cr.getErrorMessages());
416423

@@ -422,12 +429,17 @@ private boolean processStyleTag(Element ele, Node parentNode) {
422429
* break all CSS. To prevent that, we have this check.
423430
*/
424431

425-
final String cleanHTML = cr.getCleanHTML();
432+
String cleanHTML = cr.getCleanHTML();
433+
cleanHTML = cleanHTML == null || cleanHTML.equals("") ? "/* */" : cleanHTML;
426434

427-
if (cleanHTML == null || cleanHTML.equals("")) {
428-
firstChild.setNodeValue("/* */");
429-
} else {
430-
firstChild.setNodeValue(cleanHTML);
435+
ele.getFirstChild().setNodeValue(cleanHTML);
436+
/*
437+
* Remove every other node after cleaning CSS, there will
438+
* be only one node in the end, as it always should have.
439+
*/
440+
for (int i = 1; i < ele.getChildNodes().getLength(); i++) {
441+
Node childNode = ele.getChildNodes().item(i);
442+
ele.removeChild(childNode);
431443
}
432444
}
433445

Diff for: src/test/java/org/owasp/validator/html/test/AntiSamyTest.java

+14
Original file line numberDiff line numberDiff line change
@@ -1702,5 +1702,19 @@ public void testGithubIssue151() throws ScanException, PolicyException {
17021702
assertThat(result.getErrorMessages().size(), is(1));
17031703
assertThat(result.getCleanHTML(), both(containsString("img")).and(not(containsString("CURSOR"))));
17041704
}
1705+
1706+
@Test
1707+
public void testSmuggledTagsInStyleContent() throws ScanException, PolicyException {
1708+
// HTML tags may be smuggled into a style tag after parsing input to an internal representation.
1709+
// If that happens, they should be treated as text content and not as children nodes.
1710+
1711+
Policy revised = policy.cloneWithDirective(Policy.USE_XHTML,"true");
1712+
assertThat(as.scan("<style/>b<![cdata[</style><a href=javascript:alert(1)>test", revised, AntiSamy.DOM).getCleanHTML(), not(containsString("javascript")));
1713+
assertThat(as.scan("<style/>b<![cdata[</style><a href=javascript:alert(1)>test", revised, AntiSamy.SAX).getCleanHTML(), not(containsString("javascript")));
1714+
1715+
Policy revised2 = policy.cloneWithDirective(Policy.USE_XHTML,"false");
1716+
assertThat(as.scan("<select<style/>W<xmp<script>alert(1)</script>", revised2, AntiSamy.DOM).getCleanHTML(), not(containsString("script")));
1717+
assertThat(as.scan("<select<style/>W<xmp<script>alert(1)</script>", revised2, AntiSamy.SAX).getCleanHTML(), not(containsString("script")));
1718+
}
17051719
}
17061720

Diff for: src/test/java/org/owasp/validator/html/test/TestPolicy.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@
4343
*/
4444
public class TestPolicy extends InternalPolicy {
4545

46-
protected TestPolicy(Policy.ParseContext parseContext) throws PolicyException {
46+
protected TestPolicy(Policy.ParseContext parseContext) {
4747
super(parseContext);
4848
}
4949

0 commit comments

Comments
 (0)