fix(gh-554): add case for LexicalUnit.SAC_OPERATOR_SLASH in CssValida…

…tor to fix font shorthand parsing (#555)
nahsra · Feb 19, 2025 · 9c1cd61 · 9c1cd61
1 parent de4e66e
commit 9c1cd61
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/src/main/java/org/owasp/validator/css/CssValidator.java b/src/main/java/org/owasp/validator/css/CssValidator.java
@@ -367,6 +367,8 @@ public String lexicalValueToString(LexicalUnit lu) {
         return "inherit";
       case LexicalUnit.SAC_OPERATOR_COMMA:
         return ",";
+      case LexicalUnit.SAC_OPERATOR_SLASH:
+        return "/";
       case LexicalUnit.SAC_FUNCTION:
         StringBuilder builder = new StringBuilder();
 

diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -2882,4 +2882,28 @@ private void checkStyleTag(String input, String expected, Policy policy) throws
     assertEquals(expectedCleanHtml, crDom.getCleanHTML());
     assertEquals(expectedCleanHtml, crSax.getCleanHTML());
   }
+
+  @Test
+  public void testGithubIssue554() throws ScanException, PolicyException {
+    checkInlineStyle("font: bold italic large Palatino, serif", "font: bold italic large Palatino , serif;");
+    checkInlineStyle("font: 12pt/14pt sans-serif", "font: 12.0pt / 14.0pt sans-serif;");
+    checkInlineStyle("font: 12.0pt / 14.0pt sans-serif;", "font: 12.0pt / 14.0pt sans-serif;");
+    checkInlineStyle("font: 12.25pt sans-serif;", "font: 12.25pt sans-serif;");
+    checkInlineStyle("font: 14px/20px Tahoma, Geneva, Arial, Verdana, sans-serif",
+                     "font: 14.0px / 20.0px Tahoma , Geneva , Arial , Verdana , sans-serif;");
+  }
+
+  private void checkInlineStyle(String inline, String expected) throws ScanException, PolicyException {
+    //Given
+    String taintedHtml = "<html><head/><body><p style=\"" + inline + "\">test</p></body></html>";
+    String expectedCleanHtml = "<html>\n  <head/>\n  <body>\n    <p style=\"" + expected + "\">test</p>\n  </body>\n</html>";
+
+    //When
+    CleanResults crDom = as.scan(taintedHtml, policy, AntiSamy.DOM);
+    CleanResults crSax = as.scan(taintedHtml, policy, AntiSamy.SAX);
+
+    //Then
+    assertEquals(expectedCleanHtml, crDom.getCleanHTML());
+    assertEquals(expectedCleanHtml, crSax.getCleanHTML());
+  }
 }