From 9c1cd61c3ae234e3360e459afc3ef5df2b61a685 Mon Sep 17 00:00:00 2001
From: jonah1und1 <jonah.kloeckner@1und1.de>
Date: Wed, 19 Feb 2025 23:06:08 +0100
Subject: [PATCH] fix(gh-554): add case for LexicalUnit.SAC_OPERATOR_SLASH in
 CssValidator to fix font shorthand parsing (#555)

---
 .../org/owasp/validator/css/CssValidator.java |  2 ++
 .../validator/html/test/AntiSamyTest.java     | 24 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/src/main/java/org/owasp/validator/css/CssValidator.java b/src/main/java/org/owasp/validator/css/CssValidator.java
index 8f6c07b..d8c9f0b 100644
--- a/src/main/java/org/owasp/validator/css/CssValidator.java
+++ b/src/main/java/org/owasp/validator/css/CssValidator.java
@@ -367,6 +367,8 @@ public String lexicalValueToString(LexicalUnit lu) {
         return "inherit";
       case LexicalUnit.SAC_OPERATOR_COMMA:
         return ",";
+      case LexicalUnit.SAC_OPERATOR_SLASH:
+        return "/";
       case LexicalUnit.SAC_FUNCTION:
         StringBuilder builder = new StringBuilder();
 
diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
index 0dcf7a2..a4c0a4f 100644
--- a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
+++ b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -2882,4 +2882,28 @@ private void checkStyleTag(String input, String expected, Policy policy) throws
     assertEquals(expectedCleanHtml, crDom.getCleanHTML());
     assertEquals(expectedCleanHtml, crSax.getCleanHTML());
   }
+
+  @Test
+  public void testGithubIssue554() throws ScanException, PolicyException {
+    checkInlineStyle("font: bold italic large Palatino, serif", "font: bold italic large Palatino , serif;");
+    checkInlineStyle("font: 12pt/14pt sans-serif", "font: 12.0pt / 14.0pt sans-serif;");
+    checkInlineStyle("font: 12.0pt / 14.0pt sans-serif;", "font: 12.0pt / 14.0pt sans-serif;");
+    checkInlineStyle("font: 12.25pt sans-serif;", "font: 12.25pt sans-serif;");
+    checkInlineStyle("font: 14px/20px Tahoma, Geneva, Arial, Verdana, sans-serif",
+                     "font: 14.0px / 20.0px Tahoma , Geneva , Arial , Verdana , sans-serif;");
+  }
+
+  private void checkInlineStyle(String inline, String expected) throws ScanException, PolicyException {
+    //Given
+    String taintedHtml = "<html><head/><body><p style=\"" + inline + "\">test</p></body></html>";
+    String expectedCleanHtml = "<html>\n  <head/>\n  <body>\n    <p style=\"" + expected + "\">test</p>\n  </body>\n</html>";
+
+    //When
+    CleanResults crDom = as.scan(taintedHtml, policy, AntiSamy.DOM);
+    CleanResults crSax = as.scan(taintedHtml, policy, AntiSamy.SAX);
+
+    //Then
+    assertEquals(expectedCleanHtml, crDom.getCleanHTML());
+    assertEquals(expectedCleanHtml, crSax.getCleanHTML());
+  }
 }