antisamy 0.2.1 → 0.3.0

data/CHANGELOG.rdoc

@@ -0,0 +1,13 @@
+== 0.0.1
+
+* Initial commit.
+* CSS scanning is currently not implmented so any CSS will be passed alonger verbatim
+
+== 0.2.1
+
+* CSS version2 implemented
+
+== 0.3
+
+* Proper fragment support and policy now provides a allowed-empty section to customize
+

data/LICENSE.txt

@@ -1,20 +1,20 @@
-Copyright (c) 2011 Sal Scotto
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Copyright (c) 2011 Sal Scotto
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -1,41 +1,41 @@
-= Antisamy
-
-This project is a port of the java AntiSamy project to the ruby runtime. Its intended to provide a library for developers to add protection to their web applications from malicious
-user-supplier HTML and CSS. Please check out the AntiSamy project over at OWASP[http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project].
-
-== TODO
-
-* At some point support CSS3
-
-== Synopsis
-
-	require 'antisamy'
-	policy = AntiSamy.policy('antisamy.xml')
-	tainted_html = 'User supplied markup'
-	scan_results = AntiSamy.scan(tainted_html,policy)
-	clean_html = scan_results.clean_html
-
-== Example Policies
-
-Please check policy-examples[https://github.com/washu/antisamy-ruby/tree/master/policy-examples] for sample policy files.
-
-== Contributing to antisamy
-
-* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
-* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
-* Fork the project
-* Start a feature/bugfix branch
-* Commit and push until you are happy with your contribution
-* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
-* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
-
-== csspool
-
-We use a forked version of csspool 0.2.6 within antysamy, you can find the license
-for csspool in the rsac[https://github.com/washu/antisamy-ruby/tree/master/lib/antisamy/csspool] directory. csspool was re-namespaced to avoid any conflicts and updated for 1.9.2 ruby compatabilty
-
-== Copyright
-
-Copyright (c) 2011 Sal Scotto. See LICENSE.txt for
-further details.
-
+= Antisamy
+
+This project is a port of the java AntiSamy project to the ruby runtime. Its intended to provide a library for developers to add protection to their web applications from malicious
+user-supplier HTML and CSS. Please check out the AntiSamy project over at OWASP[http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project].
+
+== TODO
+
+* At some point support CSS3
+
+== Synopsis
+
+	require 'antisamy'
+	policy = AntiSamy.policy('antisamy.xml')
+	tainted_html = 'User supplied markup'
+	scan_results = AntiSamy.scan(tainted_html,policy)
+	clean_html = scan_results.clean_html
+
+== Example Policies
+
+Please check policy-examples[https://github.com/washu/antisamy-ruby/tree/master/policy-examples] for sample policy files.
+
+== Contributing to antisamy
+
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== csspool
+
+We use a forked version of csspool 0.2.6 within antysamy, you can find the license
+for csspool in the rsac[https://github.com/washu/antisamy-ruby/tree/master/lib/antisamy/csspool] directory. csspool was re-namespaced to avoid any conflicts and updated for 1.9.2 ruby compatabilty
+
+== Copyright
+
+Copyright (c) 2011 Sal Scotto. See LICENSE.txt for
+further details.
+

data/lib/antisamy.rb

@@ -1,46 +1,46 @@
-require 'nokogiri'
-require 'antisamy/csspool/rsac'
-require 'antisamy/model/attribute'
-require 'antisamy/model/tag'
-require 'antisamy/model/css_property'
-require 'antisamy/policy'
-require 'antisamy/scan_results'
-require 'antisamy/html/handler'
-require 'antisamy/css/css_validator'
-require 'antisamy/css/css_filter'
-require 'antisamy/css/css_scanner'
-require 'antisamy/html/sax_filter'
-require 'antisamy/html/scanner'
-
-module AntiSamy
-  class << self
-
-    # Setup the input encoding, defaults to UTF-8
-    def input_encoding=(encoding)
-      @@input_encoding = encoding
-    end
-
-    # Setup the output encoding defaults to UTF-8
-    def output_encoding=(encoding)
-      @@output_encoding = encoding
-    end
-
-    # Scan the input using the provided policy.
-    # will raise an exception if there is some form of scannign error
-    def scan(input,policy)
-      scanner = Scanner.new(policy)
-      @@input_encoding ||= Scanner::DEFAULT_ENCODE
-      @@output_encoding ||=  Scanner::DEFAULT_ENCODE
-      clean = scanner.scan(input,@@input_encoding, @output_encoding)
-      clean
-    end
-
-    # Create a policy out of the provided file
-    # will use a string or any IO object that can be read
-    # will raise an exception if the policy fails to validate
-    def policy(policy_file)
-      Policy.new(policy_file)
-    end
-
-  end
-end
+require 'nokogiri'
+require 'antisamy/csspool/rsac'
+require 'antisamy/model/attribute'
+require 'antisamy/model/tag'
+require 'antisamy/model/css_property'
+require 'antisamy/policy'
+require 'antisamy/scan_results'
+require 'antisamy/html/handler'
+require 'antisamy/css/css_validator'
+require 'antisamy/css/css_filter'
+require 'antisamy/css/css_scanner'
+require 'antisamy/html/sax_filter'
+require 'antisamy/html/scanner'
+
+module AntiSamy
+  class << self
+
+    # Setup the input encoding, defaults to UTF-8
+    def input_encoding=(encoding)
+      @@input_encoding = encoding
+    end
+
+    # Setup the output encoding defaults to UTF-8
+    def output_encoding=(encoding)
+      @@output_encoding = encoding
+    end
+
+    # Scan the input using the provided policy.
+    # will raise an exception if there is some form of scannign error
+    def scan(input,policy)
+      scanner = Scanner.new(policy)
+      @@input_encoding ||= Scanner::DEFAULT_ENCODE
+      @@output_encoding ||=  Scanner::DEFAULT_ENCODE
+      clean = scanner.scan(input,@@input_encoding, @output_encoding)
+      clean
+    end
+
+    # Create a policy out of the provided file
+    # will use a string or any IO object that can be read
+    # will raise an exception if the policy fails to validate
+    def policy(policy_file)
+      Policy.new(policy_file)
+    end
+
+  end
+end

data/lib/antisamy/css/css_filter.rb

@@ -1,187 +1,187 @@
-require 'uri'
-module AntiSamy
-  class CssFilter < RSAC::DocumentHandler
-    
-    attr_accessor :clean, :errors, :style_sheets
-    
-    def initialize(policy,tag)
-      @policy = policy
-      @validator = CssValidator.new(@policy)
-      @errors = []
-      @clean = ''
-      @tag = tag
-      @selector_open = false
-      @style_sheets = []
-      @inline = !tag.nil?
-      @media_open = false
-      @current_media = nil
-    end
-    # Start of document
-    def start_document(input_source) #:nodoc:
-    end
-
-    # Receive notification of the end of a style sheet.
-    def end_document(input_source) #:nodoc:
-    end
-
-    # Receive notification of a comment
-    def comment(text)
-      @errors << ScanMessage.new(ScanMessage::ERROR_COMMENT_REMOVED,@tag,text)
-    end
-    
-    def error(exception)
-      #puts exception
-    end
-
-    def fatal_error(exception)
-      #puts exception
-    end
-    
-    def error(t)
-      #puts t
-    end
-    
-    def warn(t)
-      #puts t
-    end
-    
-    def warning_error(exception)
-      #puts exception
-    end    
-    # Receive notification of an unknown at rule not supported by this parser.
-    def ignorable_at_rule(at_rule)
-      if inline
-        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_RULE_NOTFOUND,@tag,at_rule)
-      else
-        @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_RULE_NOTFOUND,@tag,at_rule)
-      end
-    end
-    
-    # Namespace declaration
-    def namespace_declaration(prefix, uri) #:nodoc:
-    end
-
-    # Called on an import statement
-    def import_style(uri, media, default_namespace_uri = nil)
-      # check directive
-      unless @policy.directive(Policy::EMBED_STYLESHEETS)
-        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_DISABLED,@tag,uri)
-        return
-      end
-      # check for null uri
-      if uri.nil?
-        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag)
-      end
-      # check uri rules
-      begin
-        luri = RSAC::LexicalURI.new(uri)
-        link = URI.parse(luri.string_value)
-        link.normalize!
-        onsite = @policy.expression("offsiteURL")
-        offsite = @policy.expression("onsiteURL")
-        # bad uri
-        raise "Invalid URI Pattern" if link.to_s !~ onsite and link.to_s !~ offsite
-        raise "Invalid URI" unless link.absolute?
-        @style_sheets << link
-      rescue Exception => e
-        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag,uri)        
-      end
-    end
-
-    # Notification of the start of a media statement
-    def start_media(media)
-      @media_open = true
-      @current_media = media
-    end
-
-    # Notification of the end of a media statement
-    def end_media(media)
-      @media_open = false
-      @current_media = nil
-    end
-
-    # Notification of the start of a page statement
-    def start_page(name = nil, pseudo_page = nil) #:nodoc:
-    end
-
-    # Notification of the end of a page statement
-    def end_page(name = nil, pseudo_page = nil) # :nodoc:
-    end
-
-    # Notification of the beginning of a font face statement.
-    def start_font_face #:nodoc:
-    end
-
-    # Notification of the end of a font face statement.
-    def end_font_face #:nodoc:
-    end
-
-    # Notification of the beginning of a rule statement.
-    def start_selector(selectors)
-      count = 0
-      selectors.each do |s|
-        name = s.to_css
-        valid = false
-        begin
-          @validator.valid_selector?(name,s)
-          valid = true
-        rescue Exception => e
-          if @inline
-            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_NOTFOUND,@tag,name)
-          else
-            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_NOTFOUND,@tag,name)
-          end
-        
-        end
-        if valid
-          if count > 0
-            clean << ", "
-          end
-          clean << name
-          count += 1
-        else
-          # not allowed selector
-          if @inline
-            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_DISALLOWED,@tag,name)
-          else
-            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_DISALLOWED,@tag,name)
-          end
-        end
-      end
-      if count > 0
-        clean << " {\n"
-        @selector_open = true
-      end
-    end
-
-    # Notification of the end of a rule statement.
-    def end_selector(selectors)
-      if @selector_open
-        clean << "}\n"
-      end
-      @selector_open = false
-    end
-
-    # Notification of a declaration.
-    def property(name, value, important)      
-      return unless @selector_open and @inline
-      if @validator.valid_property?(name,value)
-        clean << "\t" unless @inline
-        clean << "#{name}:"
-        value.each do |v|
-          clean << " #{v.to_s}"
-        end
-        clean << ";"
-        clean << "\n" unless @inline
-      else
-        cval = value.to_s
-        if @inline
-          @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_PROPERTY_INVALID,@tag,name,cval)
-        else
-          @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_PROPERTY_INVALID,@tag,name,cval)
-        end        
-      end
-      
-    end
-  end
-end
+require 'uri'
+module AntiSamy
+  class CssFilter < RSAC::DocumentHandler
+    
+    attr_accessor :clean, :errors, :style_sheets
+    
+    def initialize(policy,tag)
+      @policy = policy
+      @validator = CssValidator.new(@policy)
+      @errors = []
+      @clean = ''
+      @tag = tag
+      @selector_open = false
+      @style_sheets = []
+      @inline = !tag.nil?
+      @media_open = false
+      @current_media = nil
+    end
+    # Start of document
+    def start_document(input_source) #:nodoc:
+    end
+
+    # Receive notification of the end of a style sheet.
+    def end_document(input_source) #:nodoc:
+    end
+
+    # Receive notification of a comment
+    def comment(text)
+      @errors << ScanMessage.new(ScanMessage::ERROR_COMMENT_REMOVED,@tag,text)
+    end
+    
+    def error(exception)
+      #puts exception
+    end
+
+    def fatal_error(exception)
+      #puts exception
+    end
+    
+    def error(t)
+      #puts t
+    end
+    
+    def warn(t)
+      #puts t
+    end
+    
+    def warning_error(exception)
+      #puts exception
+    end    
+    # Receive notification of an unknown at rule not supported by this parser.
+    def ignorable_at_rule(at_rule)
+      if inline
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_RULE_NOTFOUND,@tag,at_rule)
+      else
+        @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_RULE_NOTFOUND,@tag,at_rule)
+      end
+    end
+    
+    # Namespace declaration
+    def namespace_declaration(prefix, uri) #:nodoc:
+    end
+
+    # Called on an import statement
+    def import_style(uri, media, default_namespace_uri = nil)
+      # check directive
+      unless @policy.directive(Policy::EMBED_STYLESHEETS)
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_DISABLED,@tag,uri)
+        return
+      end
+      # check for null uri
+      if uri.nil?
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag)
+      end
+      # check uri rules
+      begin
+        luri = RSAC::LexicalURI.new(uri)
+        link = URI.parse(luri.string_value)
+        link.normalize!
+        onsite = @policy.expression("offsiteURL")
+        offsite = @policy.expression("onsiteURL")
+        # bad uri
+        raise "Invalid URI Pattern" if link.to_s !~ onsite and link.to_s !~ offsite
+        raise "Invalid URI" unless link.absolute?
+        @style_sheets << link
+      rescue Exception => e
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag,uri)        
+      end
+    end
+
+    # Notification of the start of a media statement
+    def start_media(media)
+      @media_open = true
+      @current_media = media
+    end
+
+    # Notification of the end of a media statement
+    def end_media(media)
+      @media_open = false
+      @current_media = nil
+    end
+
+    # Notification of the start of a page statement
+    def start_page(name = nil, pseudo_page = nil) #:nodoc:
+    end
+
+    # Notification of the end of a page statement
+    def end_page(name = nil, pseudo_page = nil) # :nodoc:
+    end
+
+    # Notification of the beginning of a font face statement.
+    def start_font_face #:nodoc:
+    end
+
+    # Notification of the end of a font face statement.
+    def end_font_face #:nodoc:
+    end
+
+    # Notification of the beginning of a rule statement.
+    def start_selector(selectors)
+      count = 0
+      selectors.each do |s|
+        name = s.to_css
+        valid = false
+        begin
+          @validator.valid_selector?(name,s)
+          valid = true
+        rescue Exception => e
+          if @inline
+            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_NOTFOUND,@tag,name)
+          else
+            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_NOTFOUND,@tag,name)
+          end
+        
+        end
+        if valid
+          if count > 0
+            clean << ", "
+          end
+          clean << name
+          count += 1
+        else
+          # not allowed selector
+          if @inline
+            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_DISALLOWED,@tag,name)
+          else
+            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_DISALLOWED,@tag,name)
+          end
+        end
+      end
+      if count > 0
+        clean << " {\n"
+        @selector_open = true
+      end
+    end
+
+    # Notification of the end of a rule statement.
+    def end_selector(selectors)
+      if @selector_open
+        clean << "}\n"
+      end
+      @selector_open = false
+    end
+
+    # Notification of a declaration.
+    def property(name, value, important)      
+      return unless @selector_open and @inline
+      if @validator.valid_property?(name,value)
+        clean << "\t" unless @inline
+        clean << "#{name}:"
+        value.each do |v|
+          clean << " #{v.to_s}"
+        end
+        clean << ";"
+        clean << "\n" unless @inline
+      else
+        cval = value.to_s
+        if @inline
+          @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_PROPERTY_INVALID,@tag,name,cval)
+        else
+          @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_PROPERTY_INVALID,@tag,name,cval)
+        end        
+      end
+      
+    end
+  end
+end