RubyGems - antisamy - Versions diffs - 0.0.1 → 0.2.0 - Mend

antisamy 0.0.1 → 0.2.0

Files changed (45) hide show

data/README.rdoc +6 -1
data/lib/antisamy/css/css_filter.rb +187 -0
data/lib/antisamy/css/css_scanner.rb +84 -0
data/lib/antisamy/css/css_validator.rb +129 -0
data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -0
data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -0
data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -0
data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -0
data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -0
data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -0
data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -0
data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -0
data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -0
data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -0
data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -0
data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -0
data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -0
data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -0
data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -0
data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -0
data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -0
data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -0
data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -0
data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -0
data/lib/antisamy/csspool/rsac/sac/token.rb +25 -0
data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -0
data/lib/antisamy/csspool/rsac/sac.rb +14 -0
data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -0
data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -0
data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -0
data/lib/antisamy/csspool/rsac.rb +1 -0
data/lib/antisamy/html/handler.rb +4 -0
data/lib/antisamy/html/sax_filter.rb +49 -33
data/lib/antisamy/html/scanner.rb +1 -43
data/lib/antisamy/policy.rb +8 -3
data/lib/antisamy/scan_results.rb +68 -0
data/lib/antisamy.rb +4 -0
data/spec/antisamy_spec.rb +111 -3
metadata +39 -3

data/lib/antisamy/csspool/rsac/sac/tokenizer.rb ADDED Viewed

@@ -0,0 +1,185 @@
+require "antisamy/csspool/rsac/sac/lexeme"
+require "antisamy/csspool/rsac/sac/token"
+module RSAC
+  class Tokenizer
+    def initialize(&block)
+      @lexemes = []
+      @macros = {}
+      # http://www.w3.org/TR/CSS21/syndata.html
+      macro(:h, /([0-9a-f])/ )
+      macro(:nonascii, /([\200-\377])/ )
+      macro(:nl, /(\n|\r\n|\r|\f)/ )
+      macro(:unicode, /(\\#{m(:h)}{1,6}(\r\n|[ \t\r\n\f])?)/ )
+      macro(:escape, /(#{m(:unicode)}|\\[^\r\n\f0-9a-f])/ )
+      macro(:nmstart, /([_a-z]|#{m(:nonascii)}|#{m(:escape)})/ )
+      macro(:nmchar, /([_a-z0-9-]|#{m(:nonascii)}|#{m(:escape)})/ )
+      macro(:string1, /(\"([^\n\r\f\\\"]|\\#{m(:nl)}|#{m(:escape)})*\")/ )
+      macro(:string2, /(\'([^\n\r\f\\']|\\#{m(:nl)}|#{m(:escape)})*\')/ )
+      macro(:invalid1, /(\"([^\n\r\f\\\"]|\\#{m(:nl)}|#{m(:escape)})*)/ )
+      macro(:invalid2, /(\'([^\n\r\f\\']|\\#{m(:nl)}|#{m(:escape)})*)/ )
+      macro(:comment, /(\/\*[^*]*\*+([^\/*][^*]*\*+)*\/)/ )
+      macro(:ident, /(-?#{m(:nmstart)}#{m(:nmchar)}*)/ )
+      macro(:name, /(#{m(:nmchar)}+)/ )
+      macro(:num, /([0-9]+|[0-9]*\.[0-9]+)/ )
+      macro(:string, /(#{m(:string1)}|#{m(:string2)})/ )
+      macro(:invalid, /(#{m(:invalid1)}|#{m(:invalid2)})/ )
+      macro(:url, /(([!#\$%&*-~]|#{m(:nonascii)}|#{m(:escape)})*)/ )
+      macro(:s, /([ \t\r\n\f]+)/ )
+      macro(:w, /(#{m(:s)}?)/ )
+      macro(:A, /(a|\\0{0,4}(41|61)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:C, /(c|\\0{0,4}(43|63)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:D, /(d|\\0{0,4}(44|64)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:E, /(e|\\0{0,4}(45|65)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:G, /(g|\\0{0,4}(47|67)(\r\n|[ \t\r\n\f])?|\\g)/ )
+      macro(:H, /(h|\\0{0,4}(48|68)(\r\n|[ \t\r\n\f])?|\\h)/ )
+      macro(:I, /(i|\\0{0,4}(49|69)(\r\n|[ \t\r\n\f])?|\\i)/ )
+      macro(:K, /(k|\\0{0,4}(4b|6b)(\r\n|[ \t\r\n\f])?|\\k)/ )
+      macro(:M, /(m|\\0{0,4}(4d|6d)(\r\n|[ \t\r\n\f])?|\\m)/ )
+      macro(:N, /(n|\\0{0,4}(4e|6e)(\r\n|[ \t\r\n\f])?|\\n)/ )
+      macro(:O, /(o|\\0{0,4}(51|71)(\r\n|[ \t\r\n\f])?|\\o)/ )
+      macro(:P, /(p|\\0{0,4}(50|70)(\r\n|[ \t\r\n\f])?|\\p)/ )
+      macro(:R, /(r|\\0{0,4}(52|72)(\r\n|[ \t\r\n\f])?|\\r)/ )
+      macro(:S, /(s|\\0{0,4}(53|73)(\r\n|[ \t\r\n\f])?|\\s)/ )
+      macro(:T, /(t|\\0{0,4}(54|74)(\r\n|[ \t\r\n\f])?|\\t)/ )
+      macro(:X, /(x|\\0{0,4}(58|78)(\r\n|[ \t\r\n\f])?|\\x)/ )
+      macro(:Z, /(z|\\0{0,4}(5a|7a)(\r\n|[ \t\r\n\f])?|\\z)/ )
+      #token :COMMENT do |patterns|
+      #  patterns << /\/\*[^*]*\*+([^\/*][^*]*\*+)*\//
+      #  patterns << /#{m(:s)}+\/\*[^*]*\*+([^\/*][^*]*\*+)*\//
+      #end
+      token(:LBRACE, /#{m(:w)}\{/)
+      token(:PLUS, /#{m(:w)}\+/)
+      token(:GREATER, /#{m(:w)}>/)
+      token(:COMMA, /#{m(:w)},/)
+      token(:S, /#{m(:s)}/)
+      #token :URI do |patterns|
+      #  patterns << /url\(#{m(:w)}#{m(:string)}#{m(:w)}\)/
+      #  patterns << /url\(#{m(:w)}#{m(:url)}#{m(:w)}\)/
+      #end
+      token(:FUNCTION, /#{m(:ident)}\(/)
+      token(:IDENT, /#{m(:ident)}/)
+      token(:CDO, /<!--/)
+      token(:CDC, /-->/)
+      token(:INCLUDES, /~=/)
+      token(:DASHMATCH, /\|=/)
+      #token(:STRING, /#{m(:string)}/)
+      token(:INVALID, /#{m(:invalid)}/)
+      token(:HASH, /##{m(:name)}/)
+      token(:IMPORT_SYM, /@#{m(:I)}#{m(:M)}#{m(:P)}#{m(:O)}#{m(:R)}#{m(:T)}/)
+      token(:PAGE_SYM, /@#{m(:P)}#{m(:A)}#{m(:G)}#{m(:E)}/)
+      token(:MEDIA_SYM, /@#{m(:M)}#{m(:E)}#{m(:D)}#{m(:I)}#{m(:A)}/)
+      token(:CHARSET_SYM, /@#{m(:C)}#{m(:H)}#{m(:A)}#{m(:R)}#{m(:S)}#{m(:E)}#{m(:T)}/)
+      token(:IMPORTANT_SYM, /!(#{m(:w)}|#{m(:comment)})*#{m(:I)}#{m(:M)}#{m(:P)}#{m(:O)}#{m(:R)}#{m(:T)}#{m(:A)}#{m(:N)}#{m(:T)}/)
+      token(:EMS, /#{m(:num)}#{m(:E)}#{m(:M)}/)
+      token(:EXS, /#{m(:num)}#{m(:E)}#{m(:X)}/)
+      token :LENGTH do |patterns|
+        patterns << /#{m(:num)}#{m(:P)}#{m(:X)}/
+        patterns << /#{m(:num)}#{m(:C)}#{m(:M)}/
+        patterns << /#{m(:num)}#{m(:M)}#{m(:M)}/
+        patterns << /#{m(:num)}#{m(:I)}#{m(:N)}/
+        patterns << /#{m(:num)}#{m(:P)}#{m(:T)}/
+        patterns << /#{m(:num)}#{m(:P)}#{m(:C)}/
+      end
+      token :ANGLE do |patterns|
+        patterns << /#{m(:num)}#{m(:D)}#{m(:E)}#{m(:G)}/
+        patterns << /#{m(:num)}#{m(:R)}#{m(:A)}#{m(:D)}/
+        patterns << /#{m(:num)}#{m(:G)}#{m(:R)}#{m(:A)}#{m(:D)}/
+      end
+      token :TIME do |patterns|
+        patterns << /#{m(:num)}#{m(:M)}#{m(:S)}/
+        patterns << /#{m(:num)}#{m(:S)}/
+      end
+      token :FREQ do |patterns|
+        patterns << /#{m(:num)}#{m(:H)}#{m(:Z)}/
+        patterns << /#{m(:num)}#{m(:K)}#{m(:H)}#{m(:Z)}/
+      end
+      token(:DIMENSION, /#{m(:num)}#{m(:ident)}/)
+      token(:PERCENTAGE, /#{m(:num)}%/)
+      token(:NUMBER, /#{m(:num)}/)
+      yield self if block_given?
+    end
+    def tokenize(input_data)
+      tokens = []
+      pos = 0
+      comment_pattern = /\/\*.*?\*\//m
+      comments = input_data.scan(comment_pattern)
+      non_comments = input_data.split(comment_pattern)
+      # Handle a small edge case, if our CSS is *only* comments,
+      # the split, zip, scan trick won't work
+      if non_comments.length == 0
+        tokens = comments.map { |x| Token.new(:COMMENT, x, nil) }
+      else
+        non_comments.zip(comments).each do |non_comment, comment|
+          non_comment.split(/url\([^\)]*\)/m).zip(
+          non_comment.scan(/url\([^\)]*\)/m)
+          ).each do |non_url, url|
+            non_url.split(/"[^"]*"|'[^']*'/m).zip(
+            non_url.scan(/"[^"]*"|'[^']*'/m)
+            ).each do |non_string, quoted_string|
+              if non_string.length > 0 && non_string =~ /\A\s*\Z/m
+                tokens << Token.new(:S, non_string, nil)
+              else
+                non_string.split(/[ \t\r\n\f]*(?![{}+>]*)/m).zip(
+                non_string.scan(/[ \t\r\n\f]*(?![{}+>]*)/m)
+                ).each do |string, whitespace|
+                  until string.empty?
+                    token = nil
+                    @lexemes.each do |lexeme|
+                      match = lexeme.pattern.match(string)
+                      if match
+                        token = Token.new(lexeme.name, match.to_s, pos)
+                        break
+                      end
+                    end
+                    token ||= DelimiterToken.new(/^./.match(string).to_s, pos)
+                    tokens << token
+                    string = string.slice(Range.new(token.value.length, -1))
+                    pos += token.value.length
+                  end
+                  tokens << Token.new(:S, whitespace, nil) if whitespace
+                end
+              end
+              tokens << Token.new(:STRING, quoted_string, nil) if quoted_string
+            end
+            tokens << Token.new(:URI, url, nil) if url
+          end
+          tokens << Token.new(:COMMENT, comment, nil) if comment
+        end
+      end
+      tokens
+    end
+    private
+    def token(name, pattern=nil, &block)
+      @lexemes << Lexeme.new(name, pattern, &block)
+    end
+    def macro(name, regex=nil)
+      regex ? @macros[name] = regex : @macros[name].source
+    end
+    alias :m :macro
+  end
+end

data/lib/antisamy/csspool/rsac/sac.rb ADDED Viewed

@@ -0,0 +1,14 @@
+require "antisamy/csspool/rsac/sac/conditions"
+require "antisamy/csspool/rsac/sac/selectors"
+require "antisamy/csspool/rsac/sac/parser"
+require "antisamy/csspool/rsac/stylesheet"
+module RSAC
+  class << self
+    def parse(text)
+      parser = CSS::SAC::Parser.new
+      parser.parse(text)
+      parser
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet/rule.rb ADDED Viewed

@@ -0,0 +1,20 @@
+require 'set'
+module RSAC
+  class StyleSheet
+    class Rule
+      include Comparable
+      attr_accessor :selector, :properties, :index
+      def initialize(selector, index, properties = [])
+        @selector = selector
+        @properties = Set.new(properties)
+        @index = index
+      end
+      def <=>(other)
+        comp = selector.specificity <=> other.selector.specificity
+        comp == 0 ? index <=> other.index : comp
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb ADDED Viewed

@@ -0,0 +1,76 @@
+module RSAC
+  class StyleSheet < RSAC::DocumentHandler
+    attr_reader :rules
+    def initialize(sac)
+      @sac   = sac
+      @rules = []
+      @current_rules = []
+      @selector_index = 0
+    end
+    def start_selector(selectors)
+      selectors.each { |selector|
+        @current_rules << Rule.new(selector, @selector_index)
+      }
+    end
+    def end_selector(selectors)
+      @rules += @current_rules
+      @current_rules = []
+      @selector_index += 1
+      reduce!
+    end
+    def find_rule(rule)
+      rule = self.create_rule(rule) if rule.is_a?(String)
+      rules.find { |x| x.selector == rule.selector }
+    end
+    alias :[] :find_rule
+    def create_rule(rule)
+      Rule.new(@sac.parse_rule(rule).first, @selector_index += 1)
+    end
+    def property(name, value, important)
+      @current_rules.each { |selector|
+        selector.properties << [name, value, important]
+      }
+    end
+    # Get a hash of rules by property
+    def rules_by_property
+      rules_by_property = Hash.new { |h,k| h[k] = [] }
+      @rules.each { |sel|
+        props = sel.properties.to_a.sort_by { |x| x.hash } # HACK?
+        rules_by_property[props] << sel
+      }
+      rules_by_property
+    end
+    def to_css
+      rules_by_property.map do |properties, rules|
+        rules.map { |rule| rule.selector.to_css }.sort.join(', ') + " {\n" +
+          properties.map { |key,value,important|
+            # Super annoying.  If the property is font-family, its supposed to
+            # be commas
+            join_val = ('font-family' == key) ? ', ' : ' '
+            values = [value].flatten.join(join_val)
+            "#{key}:#{values}#{important ? ' !important' : ''};"
+          }.join("\n") + "\n}"
+      end.sort.join("\n")
+    end
+    private
+    # Remove duplicate rules
+    def reduce!
+      unique_rules = {}
+      @rules.each do |rule|
+        (unique_rules[rule.selector] ||= rule).properties += rule.properties
+      end
+      @rules = unique_rules.values
+      self
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require "antisamy/csspool/rsac/stylesheet/stylesheet"
+require "antisamy/csspool/rsac/stylesheet/rule"

data/lib/antisamy/csspool/rsac.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ require 'antisamy/csspool/rsac/sac'

data/lib/antisamy/html/handler.rb CHANGED Viewed

@@ -14,6 +14,7 @@ module AntiSamy
     # HTML entity encode some text
     def encode_text(text)
+      return "" if text.nil?
       @document.encode_special_chars(text)
     end
@@ -40,6 +41,9 @@ module AntiSamy
     # start an element
     def start_element(name,attributes)
+      if name.eql?("head") or name.eql?("body") or name.eql?("html")
+        return
+      end
       elem = Nokogiri::XML::Element.new(name, @document)
       attributes.each do |attrib_pair|
         elem[attrib_pair.first] = attrib_pair.last

data/lib/antisamy/html/sax_filter.rb CHANGED Viewed

@@ -39,16 +39,14 @@ module AntiSamy
       @stack = Stack.new
       @css_content = nil
       @css_attributes = nil
-      @css_scanner = nil
+      @css_scanner = CssScanner.new(policy)
       @param_tag = param_tag
     end
     def error(text)
-      #puts "SAX Error #{text}"
     end
     def warning(text)
-      puts "SAX Warning #{text}"
     end
     # Always create a HTML document unless the DECL was set beforehand
@@ -122,13 +120,24 @@ module AntiSamy
         @handler.characters(tmp)
         @stack.push(:filter)
       elsif tag.nil?
-        @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_NOT_IN_POLICY,name)
-        @stack.push(:filter)
+        # We ignore missing HTML and BODY tags since we are fragment parsing, but the
+        # Nokogiri HTML::SAX parser injects HTML/BODY if they are missing
+        unless name.eql?("html") or name.eql?("body")
+          @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_NOT_IN_POLICY,name)
+        end
+        # Nokogiri work around for a style tag being auto inserted inot head
+        if name.eql?("head")
+          @stack.push(:remove)
+        else
+          @stack.push(:filter)
+        end
       elsif tag.action.eql?(Policy::ACTION_FILTER)
         @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_FILTERED,name)
         @stack.push(:filter)
       elsif tag.action.eql?(Policy::ACTION_VALIDATE)
         # Handle validation
+        remove_tag = false
+        filter_tag = false
         is_style = name.include?("style")
         if is_style
           @stack.push(:css)
@@ -136,8 +145,6 @@ module AntiSamy
           @css_attributes = []
         else
           # Validate attributes
-          remove_tag = false
-          filter_tag = false
           attributes.each do |pair|
             a_name = pair.first
             a_value = pair.last
@@ -148,14 +155,16 @@ module AntiSamy
             # check if the attribute is a style
             if a_name.eql?("style")
               # Handle Style tags
-              # begin
-              #   results = @css_scanner.scan_inline(a_value,name,@policy.max_input)
-              #   valid_attributes << [a_name,results.clean_html]
-              #   @handler.errors << results.errors
-              #   @handler.errors.flatten!
-              # rescue Exception => e
-              #   @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_ATTRIBUTE_MALFORMED,name,@handler.encode_text(value))
-              # end
+               begin
+                 results = @css_scanner.scan_inline(a_value,name,@policy.max_input)
+                 unless result.clean_html.empty?
+                   valid_attributes << [a_name,results.clean_html]
+                 end
+                 @handler.errors << results.messages
+                 @handler.errors.flatten!
+               rescue Exception => e
+                 @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_ATTRIBUTE_MALFORMED,name,@handler.encode_text(a_value))
+               end
             elsif !attrib.nil? # Attribute is not nil lets check it
               valid = false
               attrib.values.each do |av|
@@ -167,7 +176,8 @@ module AntiSamy
               end
               unless valid
                 attrib.expressions.each do |ae|
-                  if a_value.downcase =~ ae
+                  mc = ae.match(a_value)
+                  if mc and mc.size == a_value.size
                     valid_attributes << [a_name,a_value]
                     valid = true
                     break
@@ -198,7 +208,7 @@ module AntiSamy
         elsif filter_tag
           @stack.push(:filter)
         else
-          if name.eql?("a") and @policy.directive(Policy::ANCHROS_NOFOLLOW) =~ /true/i
+          if name.eql?("a") and @policy.directive(Policy::ANCHROS_NOFOLLOW)
             valid_attributes << ["rel","nofollow"]
           end
           if masquerade
@@ -206,7 +216,7 @@ module AntiSamy
             valid_attributes << ["name",embed_name]
             valid_attributes << ["value",embed_value]
           end
-          @stack.push(:keep)
+          @stack.push(:keep) unless @stack.peek?(:css)
         end
         # End validation action
       elsif tag.action.eql?(Policy::ACTION_TRUNCATE)
@@ -234,7 +244,7 @@ module AntiSamy
     # Add character data to the current tag
     def characters(text)
       unless text =~ /\S/ # skip whitespace
-        return unless @policy.directive(Policy::PRESERVE_SPACE) =~ /true/i
+        return unless @policy.directive(Policy::PRESERVE_SPACE)
       end
       if @stack.peek?(:css)
         @css_content << text
@@ -252,20 +262,26 @@ module AntiSamy
       elsif @stack.peek?(:css)
         @stack.pop
         # Do css stuff here
-        # begin
-        #   results = @css_scanner.scan_tyle_sheet(@css_content,@policy.max_input)
-        #   @handler.errors << results.errors
-        #   @handler.errors.flatten!
-        #   unless results.clean_html.nil? or results.clean_html.empty?
-        #     @handler.start_element(element,css_attributes)
-        #     @handler.characters results.clean_html
-        #     @handler.end_element(element)
-        #   end
-        # rescue Exception => e
-        #   @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_MALFORMED,name,@handler.encode_text(@css_content))
-        # ensure
-        # @css_content = nil
-        # @css_attributes = nil
+         begin
+           results = @css_scanner.scan_sheet(@css_content,@policy.max_input)
+           @handler.errors << results.messages
+           @handler.errors.flatten!
+           unless results.clean_html.nil? or results.clean_html.empty?
+             @handler.start_element(name,@css_attributes)
+             @handler.characters results.clean_html
+             @handler.end_element(name)
+           else
+             @handler.start_element(name,@css_attributes)
+             @handler.characters "/* */"
+             @handler.end_element(name)
+           end
+         rescue Exception => e
+           puts e
+           @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_MALFORMED,name,@handler.encode_text(@css_content))
+         ensure
+           @css_content = nil
+           @css_attributes = nil
+         end
       else
         @stack.pop
         @handler.end_element(name)

data/lib/antisamy/html/scanner.rb CHANGED Viewed

@@ -1,46 +1,4 @@
 module AntiSamy
-  class ScanError < StandardError; end
-  # Scan message, it will contain a message key, tag and optionally content, value
-  class ScanMessage
-    # error.tag.notfound
-    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
-    # error.tag.removed
-    ERROR_TAG_DISALLOWED = "error.tag.removed"
-    # error.tag.filtered
-    ERROR_TAG_FILTERED = "error.tag.filtered"
-    # error.tag.encoded
-    ERROR_TAG_ENCODED = "error.tag.encoded"
-    # error.css.tag.malformed
-    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
-    # error.css.attribute.malformed
-    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.encoded
-    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.removed
-    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
-    # error.attribute.notfound
-    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
-    # error.attribute.invalid
-    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
-    attr_reader :tag, :content, :value, :msgkey
-    def initialize(msgkey, tag, content=nil,value=nil)
-      @msgkey = msgkey
-      @tag = tag
-      @content = content
-      @value = value
-    end
-    def to_s
-      "#{self.msgkey} #{@tag} #{@content} #{@value}"
-    end
-  end
   class Scanner
     attr_accessor :policy, :errors, :nofollow, :pae
     DEFAULT_ENCODE = "UTF-8"
@@ -67,7 +25,7 @@ module AntiSamy
     # will raise an error if nil input or the maximum input size is exceeded
     def scan(input, input_encode, output_encoder)
       raise ArgumentError if input.nil?
-      raise ScanError, "Max input Exceeded" if input.size > @policy.max_input
+      raise ScanError, "Max input Exceeded #{input.size} > #{@policy.max_input}" if input.size > @policy.max_input
       # check poilcy stuff
       handler = Handler.new(@policy,output_encoder)
       scanner = SaxFilter.new(@policy,handler,@@basic_param_tag_rule)

data/lib/antisamy/policy.rb CHANGED Viewed

@@ -29,13 +29,16 @@ module AntiSamy
     MAX_INPUT = "maxInputSize"
     USE_XHTML = "userXHTML"
     FORMAT_OUTPUT = "formatOutput"
+    # will we allow embedded style sheets
     EMBED_STYLESHEETS = "embedStyleSheets"
+    # Connection timeout in miliseconds
     CONN_TIMEOUT = "conenctionTimeout"
     ANCHROS_NOFOLLOW = "nofollowAnchors"
     VALIDATE_P_AS_E = "validateParamAsEmbed"
     PRESERVE_SPACE = "preserveSpace"
     PRESERVE_COMMENTS = "preserveComments"
     ON_UNKNOWN_TAG = "onUnknownTag"
+    MAX_SHEETS = "maxStyleSheetImports"
     # Class method to fetch the schema
     def self.schema
@@ -192,15 +195,17 @@ module AntiSamy
       section.element_children.each do |dir|
         name = dir["name"]
         value = dir["value"]
-        @directives[name] = value
-        if name.eql?("maxInputSize")
+        if name.eql?("maxInputSize")
           @max_input = value.to_i
         else
-          if value =~ /true/
+          if name.eql?("connectionTimeout") or name.eql?("maxStyleSheetImports")
+            value = value.to_i
+          elsif value =~ /true/i
             value = true
           else
             value = false
           end
+          @directives[name] = value
         end
       end
     end

data/lib/antisamy/scan_results.rb CHANGED Viewed

@@ -1,4 +1,72 @@
 module AntiSamy
+  class ScanError < StandardError; end
+  # Scan message, it will contain a message key, tag and optionally content, value
+  class ScanMessage
+    # error.tag.notfound
+    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
+    # error.tag.removed
+    ERROR_TAG_DISALLOWED = "error.tag.removed"
+    # error.tag.filtered
+    ERROR_TAG_FILTERED = "error.tag.filtered"
+    # error.tag.encoded
+    ERROR_TAG_ENCODED = "error.tag.encoded"
+    # error.css.tag.malformed
+    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
+    # error.css.attribute.malformed
+    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.encoded
+    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.removed
+    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
+    # error.attribute.notfound
+    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
+    # error.attribute.invalid
+    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
+    # comment removed
+    ERROR_COMMENT_REMOVED = "error.comment.removed"
+    # tag rule not found
+    ERROR_CSS_TAG_RULE_NOTFOUND = "error.css.tag.notfound"
+    # style sheet nto found
+    ERROR_STYLESHEET_RULE_NOTFOUND = "error.stylesheet.notfound"
+    # embedded stylesheets disabled
+    ERROR_CSS_IMPORT_DISABLED = "error.css.import.disabled"
+    # bad uri
+    ERROR_CSS_IMPORT_URL_INVALID = "error.css.import.uri.invalid"
+    # disallowed selector
+    ERROR_CSS_TAG_SELECTOR_DISALLOWED = "error.css.tag.removed"
+    # invalid for style sheet
+    ERROR_STYLESHEET_SELECTOR_DISALLOWED = "error.style.tag.notallowed"
+    # invlaid css tag property
+    ERROR_CSS_TAG_PROPERTY_INVALID = "error.css.property.invalid"
+    # invid style sheet roperty tag
+    ERROR_STYLESHEET_PROPERTY_INVALID = "error.stylesheet.css.property.invalid"
+    # exceed alloted imports
+    ERROR_CSS_IMPORT_EXCEEDED = "error.import.exceeded.sheets"
+    # exceede size
+    ERROR_CSS_IMPORT_INPUT_SIZE = "error.import.exceeded.size"
+    # Failed to import
+    ERROR_CSS_IMPORT_FAILURE = "error.import.bad.uri"
+    # selector not found
+    ERROR_STYLESHEET_SELECTOR_NOTFOUND = "error.css.stylesheet.selector.notfound"
+    # selector in css not fond
+    ERROR_CSS_TAG_SELECTOR_NOTFOUND = "error.css.tag.selector.notfound"
+    attr_reader :tag, :content, :value, :msgkey
+    def initialize(msgkey, tag, content=nil,value=nil)
+      @msgkey = msgkey
+      @tag = tag
+      @content = content
+      @value = value
+    end
+    def to_s
+      "#{self.msgkey} #{@tag} #{@content} #{@value}"
+    end
+  end
   # Container of scan results, provides a list of ScanMessage indicating
   # why elements were removed from the resulting html
   class ScanResults

data/lib/antisamy.rb CHANGED Viewed

@@ -1,10 +1,14 @@
 require 'nokogiri'
+require 'antisamy/csspool/rsac'
 require 'antisamy/model/attribute'
 require 'antisamy/model/tag'
 require 'antisamy/model/css_property'
 require 'antisamy/policy'
 require 'antisamy/scan_results'
 require 'antisamy/html/handler'
+require 'antisamy/css/css_validator'
+require 'antisamy/css/css_filter'
+require 'antisamy/css/css_scanner'
 require 'antisamy/html/sax_filter'
 require 'antisamy/html/scanner'