rombert commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r966851869
########## src/main/java/org/apache/sling/xss/impl/style/BatikCssCleaner.java: ########## @@ -0,0 +1,82 @@ +/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ +package org.apache.sling.xss.impl.style; + +import java.io.IOException; +import java.io.StringReader; + +import org.apache.batik.css.parser.Parser; +import org.apache.sling.xss.impl.xml.AntiSamyPolicy.CssPolicy; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.css.sac.CSSException; +import org.w3c.css.sac.InputSource; + +public class BatikCssCleaner { + + private final Logger logger = LoggerFactory.getLogger(getClass()); + private final CssPolicy cssPolicy; + + private static final String CDATA_PRE = "<![CDATA["; + private static final String CDATA_POST = "]]>"; + + public BatikCssCleaner(CssPolicy cssPolicy) { + this.cssPolicy = cssPolicy; + } + + /** + * Parses a CSS stylesheet and returns it in a safe form + * + * @param untrustedCss a complete CSS stylesheet + * @return the cleaned CSS stylesheet text + */ + public String cleanStylesheet(String untrustedCss) { + try { + if ( untrustedCss.startsWith(CDATA_PRE) && untrustedCss.endsWith(CDATA_POST) ) + untrustedCss = untrustedCss.substring(CDATA_PRE.length(), untrustedCss.length() - CDATA_POST.length()); + Parser parser = new Parser(); + ValidatingDocumentHandler handler = new ValidatingDocumentHandler(cssPolicy, false); + parser.setDocumentHandler(handler); + parser.parseStyleSheet(new InputSource(new StringReader(untrustedCss))); + return handler.getValidCss(); + } catch (CSSException | IOException e) { + logger.debug("Unexpected error while cleaning stylesheet", e); Review Comment: The parser errors occur due to malformed style sheets or declarations supplied to the parser. It does not mean that we have misconfigured it, the policy handling does not do that. We have decided to return an empty output for invalid input since it is in line with the overall behaviour of the Java HTML Sanitiser. It does not throw exceptions on invalid input and the response for really malformed data e.g. `<stron|` is an empty output. It does have an error reporting facility, via `HtmlStreamRenderer.error`, but that is used for malformed HTML and not exposed to processors that are invoked later. I think this is pretty much in line with how the library is used and would not change it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
