RubyGems - antisamy - Versions diffs - 0.0.1 → 0.2.0 - Mend

antisamy 0.0.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

data/README.rdoc +6 -1
data/lib/antisamy/css/css_filter.rb +187 -0
data/lib/antisamy/css/css_scanner.rb +84 -0
data/lib/antisamy/css/css_validator.rb +129 -0
data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -0
data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -0
data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -0
data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -0
data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -0
data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -0
data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -0
data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -0
data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -0
data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -0
data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -0
data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -0
data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -0
data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -0
data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -0
data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -0
data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -0
data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -0
data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -0
data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -0
data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -0
data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -0
data/lib/antisamy/csspool/rsac/sac/token.rb +25 -0
data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -0
data/lib/antisamy/csspool/rsac/sac.rb +14 -0
data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -0
data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -0
data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -0
data/lib/antisamy/csspool/rsac.rb +1 -0
data/lib/antisamy/html/handler.rb +4 -0
data/lib/antisamy/html/sax_filter.rb +49 -33
data/lib/antisamy/html/scanner.rb +1 -43
data/lib/antisamy/policy.rb +8 -3
data/lib/antisamy/scan_results.rb +68 -0
data/lib/antisamy.rb +4 -0
data/spec/antisamy_spec.rb +111 -3
metadata +39 -3

data/lib/antisamy/csspool/rsac/sac/tokenizer.rb ADDED Viewed

@@ -0,0 +1,185 @@
+require "antisamy/csspool/rsac/sac/lexeme"
+require "antisamy/csspool/rsac/sac/token"
+module RSAC
+  class Tokenizer
+    def initialize(&block)
+      @lexemes = []
+      @macros = {}
+      # http://www.w3.org/TR/CSS21/syndata.html
+      macro(:h, /([0-9a-f])/ )
+      macro(:nonascii, /([\200-\377])/ )
+      macro(:nl, /(\n|\r\n|\r|\f)/ )
+      macro(:unicode, /(\\#{m(:h)}{1,6}(\r\n|[ \t\r\n\f])?)/ )
+      macro(:escape, /(#{m(:unicode)}|\\[^\r\n\f0-9a-f])/ )
+      macro(:nmstart, /([_a-z]|#{m(:nonascii)}|#{m(:escape)})/ )
+      macro(:nmchar, /([_a-z0-9-]|#{m(:nonascii)}|#{m(:escape)})/ )
+      macro(:string1, /(\"([^\n\r\f\\\"]|\\#{m(:nl)}|#{m(:escape)})*\")/ )
+      macro(:string2, /(\'([^\n\r\f\\']|\\#{m(:nl)}|#{m(:escape)})*\')/ )
+      macro(:invalid1, /(\"([^\n\r\f\\\"]|\\#{m(:nl)}|#{m(:escape)})*)/ )
+      macro(:invalid2, /(\'([^\n\r\f\\']|\\#{m(:nl)}|#{m(:escape)})*)/ )
+      macro(:comment, /(\/\*[^*]*\*+([^\/*][^*]*\*+)*\/)/ )
+      macro(:ident, /(-?#{m(:nmstart)}#{m(:nmchar)}*)/ )
+      macro(:name, /(#{m(:nmchar)}+)/ )
+      macro(:num, /([0-9]+|[0-9]*\.[0-9]+)/ )
+      macro(:string, /(#{m(:string1)}|#{m(:string2)})/ )
+      macro(:invalid, /(#{m(:invalid1)}|#{m(:invalid2)})/ )
+      macro(:url, /(([!#\$%&*-~]|#{m(:nonascii)}|#{m(:escape)})*)/ )
+      macro(:s, /([ \t\r\n\f]+)/ )
+      macro(:w, /(#{m(:s)}?)/ )
+      macro(:A, /(a|\\0{0,4}(41|61)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:C, /(c|\\0{0,4}(43|63)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:D, /(d|\\0{0,4}(44|64)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:E, /(e|\\0{0,4}(45|65)(\r\n|[ \t\r\n\f])?)/ )
+      macro(:G, /(g|\\0{0,4}(47|67)(\r\n|[ \t\r\n\f])?|\\g)/ )
+      macro(:H, /(h|\\0{0,4}(48|68)(\r\n|[ \t\r\n\f])?|\\h)/ )
+      macro(:I, /(i|\\0{0,4}(49|69)(\r\n|[ \t\r\n\f])?|\\i)/ )
+      macro(:K, /(k|\\0{0,4}(4b|6b)(\r\n|[ \t\r\n\f])?|\\k)/ )
+      macro(:M, /(m|\\0{0,4}(4d|6d)(\r\n|[ \t\r\n\f])?|\\m)/ )
+      macro(:N, /(n|\\0{0,4}(4e|6e)(\r\n|[ \t\r\n\f])?|\\n)/ )
+      macro(:O, /(o|\\0{0,4}(51|71)(\r\n|[ \t\r\n\f])?|\\o)/ )
+      macro(:P, /(p|\\0{0,4}(50|70)(\r\n|[ \t\r\n\f])?|\\p)/ )
+      macro(:R, /(r|\\0{0,4}(52|72)(\r\n|[ \t\r\n\f])?|\\r)/ )
+      macro(:S, /(s|\\0{0,4}(53|73)(\r\n|[ \t\r\n\f])?|\\s)/ )
+      macro(:T, /(t|\\0{0,4}(54|74)(\r\n|[ \t\r\n\f])?|\\t)/ )
+      macro(:X, /(x|\\0{0,4}(58|78)(\r\n|[ \t\r\n\f])?|\\x)/ )
+      macro(:Z, /(z|\\0{0,4}(5a|7a)(\r\n|[ \t\r\n\f])?|\\z)/ )
+      #token :COMMENT do |patterns|
+      #  patterns << /\/\*[^*]*\*+([^\/*][^*]*\*+)*\//
+      #  patterns << /#{m(:s)}+\/\*[^*]*\*+([^\/*][^*]*\*+)*\//
+      #end
+      token(:LBRACE, /#{m(:w)}\{/)
+      token(:PLUS, /#{m(:w)}\+/)
+      token(:GREATER, /#{m(:w)}>/)
+      token(:COMMA, /#{m(:w)},/)
+      token(:S, /#{m(:s)}/)
+      #token :URI do |patterns|
+      #  patterns << /url\(#{m(:w)}#{m(:string)}#{m(:w)}\)/
+      #  patterns << /url\(#{m(:w)}#{m(:url)}#{m(:w)}\)/
+      #end
+      token(:FUNCTION, /#{m(:ident)}\(/)
+      token(:IDENT, /#{m(:ident)}/)
+      token(:CDO, /<!--/)
+      token(:CDC, /-->/)
+      token(:INCLUDES, /~=/)
+      token(:DASHMATCH, /\|=/)
+      #token(:STRING, /#{m(:string)}/)
+      token(:INVALID, /#{m(:invalid)}/)
+      token(:HASH, /##{m(:name)}/)
+      token(:IMPORT_SYM, /@#{m(:I)}#{m(:M)}#{m(:P)}#{m(:O)}#{m(:R)}#{m(:T)}/)
+      token(:PAGE_SYM, /@#{m(:P)}#{m(:A)}#{m(:G)}#{m(:E)}/)
+      token(:MEDIA_SYM, /@#{m(:M)}#{m(:E)}#{m(:D)}#{m(:I)}#{m(:A)}/)
+      token(:CHARSET_SYM, /@#{m(:C)}#{m(:H)}#{m(:A)}#{m(:R)}#{m(:S)}#{m(:E)}#{m(:T)}/)
+      token(:IMPORTANT_SYM, /!(#{m(:w)}|#{m(:comment)})*#{m(:I)}#{m(:M)}#{m(:P)}#{m(:O)}#{m(:R)}#{m(:T)}#{m(:A)}#{m(:N)}#{m(:T)}/)
+      token(:EMS, /#{m(:num)}#{m(:E)}#{m(:M)}/)
+      token(:EXS, /#{m(:num)}#{m(:E)}#{m(:X)}/)
+      token :LENGTH do |patterns|
+        patterns << /#{m(:num)}#{m(:P)}#{m(:X)}/
+        patterns << /#{m(:num)}#{m(:C)}#{m(:M)}/
+        patterns << /#{m(:num)}#{m(:M)}#{m(:M)}/
+        patterns << /#{m(:num)}#{m(:I)}#{m(:N)}/
+        patterns << /#{m(:num)}#{m(:P)}#{m(:T)}/
+        patterns << /#{m(:num)}#{m(:P)}#{m(:C)}/
+      end
+      token :ANGLE do |patterns|
+        patterns << /#{m(:num)}#{m(:D)}#{m(:E)}#{m(:G)}/
+        patterns << /#{m(:num)}#{m(:R)}#{m(:A)}#{m(:D)}/
+        patterns << /#{m(:num)}#{m(:G)}#{m(:R)}#{m(:A)}#{m(:D)}/
+      end
+      token :TIME do |patterns|
+        patterns << /#{m(:num)}#{m(:M)}#{m(:S)}/
+        patterns << /#{m(:num)}#{m(:S)}/
+      end
+      token :FREQ do |patterns|
+        patterns << /#{m(:num)}#{m(:H)}#{m(:Z)}/
+        patterns << /#{m(:num)}#{m(:K)}#{m(:H)}#{m(:Z)}/
+      end
+      token(:DIMENSION, /#{m(:num)}#{m(:ident)}/)
+      token(:PERCENTAGE, /#{m(:num)}%/)
+      token(:NUMBER, /#{m(:num)}/)
+      yield self if block_given?
+    end
+    def tokenize(input_data)
+      tokens = []
+      pos = 0
+      comment_pattern = /\/\*.*?\*\//m
+      comments = input_data.scan(comment_pattern)
+      non_comments = input_data.split(comment_pattern)
+      # Handle a small edge case, if our CSS is *only* comments,
+      # the split, zip, scan trick won't work
+      if non_comments.length == 0
+        tokens = comments.map { |x| Token.new(:COMMENT, x, nil) }
+      else
+        non_comments.zip(comments).each do |non_comment, comment|
+          non_comment.split(/url\([^\)]*\)/m).zip(
+          non_comment.scan(/url\([^\)]*\)/m)
+          ).each do |non_url, url|
+            non_url.split(/"[^"]*"|'[^']*'/m).zip(
+            non_url.scan(/"[^"]*"|'[^']*'/m)
+            ).each do |non_string, quoted_string|
+              if non_string.length > 0 && non_string =~ /\A\s*\Z/m
+                tokens << Token.new(:S, non_string, nil)
+              else
+                non_string.split(/[ \t\r\n\f]*(?![{}+>]*)/m).zip(
+                non_string.scan(/[ \t\r\n\f]*(?![{}+>]*)/m)
+                ).each do |string, whitespace|
+                  until string.empty?
+                    token = nil
+                    @lexemes.each do |lexeme|
+                      match = lexeme.pattern.match(string)
+                      if match
+                        token = Token.new(lexeme.name, match.to_s, pos)
+                        break
+                      end
+                    end
+                    token ||= DelimiterToken.new(/^./.match(string).to_s, pos)
+                    tokens << token
+                    string = string.slice(Range.new(token.value.length, -1))
+                    pos += token.value.length
+                  end
+                  tokens << Token.new(:S, whitespace, nil) if whitespace
+                end
+              end
+              tokens << Token.new(:STRING, quoted_string, nil) if quoted_string
+            end
+            tokens << Token.new(:URI, url, nil) if url
+          end
+          tokens << Token.new(:COMMENT, comment, nil) if comment
+        end
+      end
+      tokens
+    end
+    private
+    def token(name, pattern=nil, &block)
+      @lexemes << Lexeme.new(name, pattern, &block)
+    end
+    def macro(name, regex=nil)
+      regex ? @macros[name] = regex : @macros[name].source
+    end
+    alias :m :macro
+  end
+end

data/lib/antisamy/csspool/rsac/sac.rb ADDED Viewed

@@ -0,0 +1,14 @@
+require "antisamy/csspool/rsac/sac/conditions"
+require "antisamy/csspool/rsac/sac/selectors"
+require "antisamy/csspool/rsac/sac/parser"
+require "antisamy/csspool/rsac/stylesheet"
+module RSAC
+  class << self
+    def parse(text)
+      parser = CSS::SAC::Parser.new
+      parser.parse(text)
+      parser
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet/rule.rb ADDED Viewed

@@ -0,0 +1,20 @@
+require 'set'
+module RSAC
+  class StyleSheet
+    class Rule
+      include Comparable
+      attr_accessor :selector, :properties, :index
+      def initialize(selector, index, properties = [])
+        @selector = selector
+        @properties = Set.new(properties)
+        @index = index
+      end
+      def <=>(other)
+        comp = selector.specificity <=> other.selector.specificity
+        comp == 0 ? index <=> other.index : comp
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb ADDED Viewed

@@ -0,0 +1,76 @@
+module RSAC
+  class StyleSheet < RSAC::DocumentHandler
+    attr_reader :rules
+    def initialize(sac)
+      @sac   = sac
+      @rules = []
+      @current_rules = []
+      @selector_index = 0
+    end
+    def start_selector(selectors)
+      selectors.each { |selector|
+        @current_rules << Rule.new(selector, @selector_index)
+      }
+    end
+    def end_selector(selectors)
+      @rules += @current_rules
+      @current_rules = []
+      @selector_index += 1
+      reduce!
+    end
+    def find_rule(rule)
+      rule = self.create_rule(rule) if rule.is_a?(String)
+      rules.find { |x| x.selector == rule.selector }
+    end
+    alias :[] :find_rule
+    def create_rule(rule)
+      Rule.new(@sac.parse_rule(rule).first, @selector_index += 1)
+    end
+    def property(name, value, important)
+      @current_rules.each { |selector|
+        selector.properties << [name, value, important]
+      }
+    end
+    # Get a hash of rules by property
+    def rules_by_property
+      rules_by_property = Hash.new { |h,k| h[k] = [] }
+      @rules.each { |sel|
+        props = sel.properties.to_a.sort_by { |x| x.hash } # HACK?
+        rules_by_property[props] << sel
+      }
+      rules_by_property
+    end
+    def to_css
+      rules_by_property.map do |properties, rules|
+        rules.map { |rule| rule.selector.to_css }.sort.join(', ') + " {\n" +
+          properties.map { |key,value,important|
+            # Super annoying.  If the property is font-family, its supposed to
+            # be commas
+            join_val = ('font-family' == key) ? ', ' : ' '
+            values = [value].flatten.join(join_val)
+            "#{key}:#{values}#{important ? ' !important' : ''};"
+          }.join("\n") + "\n}"
+      end.sort.join("\n")
+    end
+    private
+    # Remove duplicate rules
+    def reduce!
+      unique_rules = {}
+      @rules.each do |rule|
+        (unique_rules[rule.selector] ||= rule).properties += rule.properties
+      end
+      @rules = unique_rules.values
+      self
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/stylesheet.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require "antisamy/csspool/rsac/stylesheet/stylesheet"
+require "antisamy/csspool/rsac/stylesheet/rule"

data/lib/antisamy/csspool/rsac.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ require 'antisamy/csspool/rsac/sac'

data/lib/antisamy/html/handler.rb CHANGED Viewed

@@ -14,6 +14,7 @@ module AntiSamy
     # HTML entity encode some text
     def encode_text(text)
+      return "" if text.nil?
       @document.encode_special_chars(text)
     end
@@ -40,6 +41,9 @@ module AntiSamy
     # start an element
     def start_element(name,attributes)
+      if name.eql?("head") or name.eql?("body") or name.eql?("html")
+        return
+      end
       elem = Nokogiri::XML::Element.new(name, @document)
       attributes.each do |attrib_pair|
         elem[attrib_pair.first] = attrib_pair.last

data/lib/antisamy/html/sax_filter.rb CHANGED Viewed

@@ -39,16 +39,14 @@ module AntiSamy
       @stack = Stack.new
       @css_content = nil
       @css_attributes = nil
-      @css_scanner = nil
+      @css_scanner = CssScanner.new(policy)
       @param_tag = param_tag
     end
     def error(text)
-      #puts "SAX Error #{text}"
     end
     def warning(text)
-      puts "SAX Warning #{text}"
     end
     # Always create a HTML document unless the DECL was set beforehand
@@ -122,13 +120,24 @@ module AntiSamy
         @handler.characters(tmp)
         @stack.push(:filter)
       elsif tag.nil?
-        @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_NOT_IN_POLICY,name)
-        @stack.push(:filter)
+        # We ignore missing HTML and BODY tags since we are fragment parsing, but the
+        # Nokogiri HTML::SAX parser injects HTML/BODY if they are missing
+        unless name.eql?("html") or name.eql?("body")
+          @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_NOT_IN_POLICY,name)
+        end
+        # Nokogiri work around for a style tag being auto inserted inot head
+        if name.eql?("head")
+          @stack.push(:remove)
+        else
+          @stack.push(:filter)
+        end
       elsif tag.action.eql?(Policy::ACTION_FILTER)
         @handler.errors << ScanMessage.new(ScanMessage::ERROR_TAG_FILTERED,name)
         @stack.push(:filter)
       elsif tag.action.eql?(Policy::ACTION_VALIDATE)
         # Handle validation
+        remove_tag = false
+        filter_tag = false
         is_style = name.include?("style")
         if is_style
           @stack.push(:css)
@@ -136,8 +145,6 @@ module AntiSamy
           @css_attributes = []
         else
           # Validate attributes
-          remove_tag = false
-          filter_tag = false
           attributes.each do |pair|
             a_name = pair.first
             a_value = pair.last
@@ -148,14 +155,16 @@ module AntiSamy
             # check if the attribute is a style
             if a_name.eql?("style")
               # Handle Style tags
-              # begin
-              #   results = @css_scanner.scan_inline(a_value,name,@policy.max_input)
-              #   valid_attributes << [a_name,results.clean_html]
-              #   @handler.errors << results.errors
-              #   @handler.errors.flatten!
-              # rescue Exception => e
-              #   @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_ATTRIBUTE_MALFORMED,name,@handler.encode_text(value))
-              # end
+               begin
+                 results = @css_scanner.scan_inline(a_value,name,@policy.max_input)
+                 unless result.clean_html.empty?
+                   valid_attributes << [a_name,results.clean_html]
+                 end
+                 @handler.errors << results.messages
+                 @handler.errors.flatten!
+               rescue Exception => e
+                 @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_ATTRIBUTE_MALFORMED,name,@handler.encode_text(a_value))
+               end
             elsif !attrib.nil? # Attribute is not nil lets check it
               valid = false
               attrib.values.each do |av|
@@ -167,7 +176,8 @@ module AntiSamy
               end
               unless valid
                 attrib.expressions.each do |ae|
-                  if a_value.downcase =~ ae
+                  mc = ae.match(a_value)
+                  if mc and mc.size == a_value.size
                     valid_attributes << [a_name,a_value]
                     valid = true
                     break
@@ -198,7 +208,7 @@ module AntiSamy
         elsif filter_tag
           @stack.push(:filter)
         else
-          if name.eql?("a") and @policy.directive(Policy::ANCHROS_NOFOLLOW) =~ /true/i
+          if name.eql?("a") and @policy.directive(Policy::ANCHROS_NOFOLLOW)
             valid_attributes << ["rel","nofollow"]
           end
           if masquerade
@@ -206,7 +216,7 @@ module AntiSamy
             valid_attributes << ["name",embed_name]
             valid_attributes << ["value",embed_value]
           end
-          @stack.push(:keep)
+          @stack.push(:keep) unless @stack.peek?(:css)
         end
         # End validation action
       elsif tag.action.eql?(Policy::ACTION_TRUNCATE)
@@ -234,7 +244,7 @@ module AntiSamy
     # Add character data to the current tag
     def characters(text)
       unless text =~ /\S/ # skip whitespace
-        return unless @policy.directive(Policy::PRESERVE_SPACE) =~ /true/i
+        return unless @policy.directive(Policy::PRESERVE_SPACE)
       end
       if @stack.peek?(:css)
         @css_content << text
@@ -252,20 +262,26 @@ module AntiSamy
       elsif @stack.peek?(:css)
         @stack.pop
         # Do css stuff here
-        # begin
-        #   results = @css_scanner.scan_tyle_sheet(@css_content,@policy.max_input)
-        #   @handler.errors << results.errors
-        #   @handler.errors.flatten!
-        #   unless results.clean_html.nil? or results.clean_html.empty?
-        #     @handler.start_element(element,css_attributes)
-        #     @handler.characters results.clean_html
-        #     @handler.end_element(element)
-        #   end
-        # rescue Exception => e
-        #   @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_MALFORMED,name,@handler.encode_text(@css_content))
-        # ensure
-        # @css_content = nil
-        # @css_attributes = nil
+         begin
+           results = @css_scanner.scan_sheet(@css_content,@policy.max_input)
+           @handler.errors << results.messages
+           @handler.errors.flatten!
+           unless results.clean_html.nil? or results.clean_html.empty?
+             @handler.start_element(name,@css_attributes)
+             @handler.characters results.clean_html
+             @handler.end_element(name)
+           else
+             @handler.start_element(name,@css_attributes)
+             @handler.characters "/* */"
+             @handler.end_element(name)
+           end
+         rescue Exception => e
+           puts e
+           @handler.errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_MALFORMED,name,@handler.encode_text(@css_content))
+         ensure
+           @css_content = nil
+           @css_attributes = nil
+         end
       else
         @stack.pop
         @handler.end_element(name)

data/lib/antisamy/html/scanner.rb CHANGED Viewed

@@ -1,46 +1,4 @@
 module AntiSamy
-  class ScanError < StandardError; end
-  # Scan message, it will contain a message key, tag and optionally content, value
-  class ScanMessage
-    # error.tag.notfound
-    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
-    # error.tag.removed
-    ERROR_TAG_DISALLOWED = "error.tag.removed"
-    # error.tag.filtered
-    ERROR_TAG_FILTERED = "error.tag.filtered"
-    # error.tag.encoded
-    ERROR_TAG_ENCODED = "error.tag.encoded"
-    # error.css.tag.malformed
-    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
-    # error.css.attribute.malformed
-    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.encoded
-    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.removed
-    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
-    # error.attribute.notfound
-    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
-    # error.attribute.invalid
-    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
-    attr_reader :tag, :content, :value, :msgkey
-    def initialize(msgkey, tag, content=nil,value=nil)
-      @msgkey = msgkey
-      @tag = tag
-      @content = content
-      @value = value
-    end
-    def to_s
-      "#{self.msgkey} #{@tag} #{@content} #{@value}"
-    end
-  end
   class Scanner
     attr_accessor :policy, :errors, :nofollow, :pae
     DEFAULT_ENCODE = "UTF-8"
@@ -67,7 +25,7 @@ module AntiSamy
     # will raise an error if nil input or the maximum input size is exceeded
     def scan(input, input_encode, output_encoder)
       raise ArgumentError if input.nil?
-      raise ScanError, "Max input Exceeded" if input.size > @policy.max_input
+      raise ScanError, "Max input Exceeded #{input.size} > #{@policy.max_input}" if input.size > @policy.max_input
       # check poilcy stuff
       handler = Handler.new(@policy,output_encoder)
       scanner = SaxFilter.new(@policy,handler,@@basic_param_tag_rule)

data/lib/antisamy/policy.rb CHANGED Viewed

@@ -29,13 +29,16 @@ module AntiSamy
     MAX_INPUT = "maxInputSize"
     USE_XHTML = "userXHTML"
     FORMAT_OUTPUT = "formatOutput"
+    # will we allow embedded style sheets
     EMBED_STYLESHEETS = "embedStyleSheets"
+    # Connection timeout in miliseconds
     CONN_TIMEOUT = "conenctionTimeout"
     ANCHROS_NOFOLLOW = "nofollowAnchors"
     VALIDATE_P_AS_E = "validateParamAsEmbed"
     PRESERVE_SPACE = "preserveSpace"
     PRESERVE_COMMENTS = "preserveComments"
     ON_UNKNOWN_TAG = "onUnknownTag"
+    MAX_SHEETS = "maxStyleSheetImports"
     # Class method to fetch the schema
     def self.schema
@@ -192,15 +195,17 @@ module AntiSamy
       section.element_children.each do |dir|
         name = dir["name"]
         value = dir["value"]
-        @directives[name] = value
-        if name.eql?("maxInputSize")
+        if name.eql?("maxInputSize")
           @max_input = value.to_i
         else
-          if value =~ /true/
+          if name.eql?("connectionTimeout") or name.eql?("maxStyleSheetImports")
+            value = value.to_i
+          elsif value =~ /true/i
             value = true
           else
             value = false
           end
+          @directives[name] = value
         end
       end
     end

data/lib/antisamy/scan_results.rb CHANGED Viewed

@@ -1,4 +1,72 @@
 module AntiSamy
+  class ScanError < StandardError; end
+  # Scan message, it will contain a message key, tag and optionally content, value
+  class ScanMessage
+    # error.tag.notfound
+    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
+    # error.tag.removed
+    ERROR_TAG_DISALLOWED = "error.tag.removed"
+    # error.tag.filtered
+    ERROR_TAG_FILTERED = "error.tag.filtered"
+    # error.tag.encoded
+    ERROR_TAG_ENCODED = "error.tag.encoded"
+    # error.css.tag.malformed
+    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
+    # error.css.attribute.malformed
+    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.encoded
+    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.removed
+    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
+    # error.attribute.notfound
+    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
+    # error.attribute.invalid
+    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
+    # comment removed
+    ERROR_COMMENT_REMOVED = "error.comment.removed"
+    # tag rule not found
+    ERROR_CSS_TAG_RULE_NOTFOUND = "error.css.tag.notfound"
+    # style sheet nto found
+    ERROR_STYLESHEET_RULE_NOTFOUND = "error.stylesheet.notfound"
+    # embedded stylesheets disabled
+    ERROR_CSS_IMPORT_DISABLED = "error.css.import.disabled"
+    # bad uri
+    ERROR_CSS_IMPORT_URL_INVALID = "error.css.import.uri.invalid"
+    # disallowed selector
+    ERROR_CSS_TAG_SELECTOR_DISALLOWED = "error.css.tag.removed"
+    # invalid for style sheet
+    ERROR_STYLESHEET_SELECTOR_DISALLOWED = "error.style.tag.notallowed"
+    # invlaid css tag property
+    ERROR_CSS_TAG_PROPERTY_INVALID = "error.css.property.invalid"
+    # invid style sheet roperty tag
+    ERROR_STYLESHEET_PROPERTY_INVALID = "error.stylesheet.css.property.invalid"
+    # exceed alloted imports
+    ERROR_CSS_IMPORT_EXCEEDED = "error.import.exceeded.sheets"
+    # exceede size
+    ERROR_CSS_IMPORT_INPUT_SIZE = "error.import.exceeded.size"
+    # Failed to import
+    ERROR_CSS_IMPORT_FAILURE = "error.import.bad.uri"
+    # selector not found
+    ERROR_STYLESHEET_SELECTOR_NOTFOUND = "error.css.stylesheet.selector.notfound"
+    # selector in css not fond
+    ERROR_CSS_TAG_SELECTOR_NOTFOUND = "error.css.tag.selector.notfound"
+    attr_reader :tag, :content, :value, :msgkey
+    def initialize(msgkey, tag, content=nil,value=nil)
+      @msgkey = msgkey
+      @tag = tag
+      @content = content
+      @value = value
+    end
+    def to_s
+      "#{self.msgkey} #{@tag} #{@content} #{@value}"
+    end
+  end
   # Container of scan results, provides a list of ScanMessage indicating
   # why elements were removed from the resulting html
   class ScanResults

data/lib/antisamy.rb CHANGED Viewed

@@ -1,10 +1,14 @@
 require 'nokogiri'
+require 'antisamy/csspool/rsac'
 require 'antisamy/model/attribute'
 require 'antisamy/model/tag'
 require 'antisamy/model/css_property'
 require 'antisamy/policy'
 require 'antisamy/scan_results'
 require 'antisamy/html/handler'
+require 'antisamy/css/css_validator'
+require 'antisamy/css/css_filter'
+require 'antisamy/css/css_scanner'
 require 'antisamy/html/sax_filter'
 require 'antisamy/html/scanner'