[Caja] allow numeric font-weight in client-side css sanitizer (issue 11458044)

reply Wed, 17 Jul 2013 13:29:59 -0700

Reviewers: MikeSamuel,

Description:
font-weight is special because the allowed value list includes things
that look like numbers. The client-side css parser applies numeric value
checks before literal value checks, so font-weight:200 is always elided.


This fixes that by moving the literal value check before the numeric
value check.

This fixes
https://code.google.com/p/google-caja/issues/detail?id=1771

Please review this at https://codereview.appspot.com/11458044/

Affected files:
  M     src/com/google/caja/plugin/sanitizecss.js
  M     tests/com/google/caja/plugin/css-stylesheet-tests.js


Index: src/com/google/caja/plugin/sanitizecss.js
===================================================================
--- src/com/google/caja/plugin/sanitizecss.js   (revision 5496)
+++ src/com/google/caja/plugin/sanitizecss.js   (working copy)
@@ -199,6 +199,7 @@
         var cc = token.charCodeAt(0), cc1, cc2, isnum1, isnum2, end;
         var litGroup, litMap;
         token = (
+
           // Strip out spaces.  Normally cssparser.js dumps these, but we

// strip them out in case the content doesn't come viacssparser.js.

           (cc === ' '.charCodeAt(0)) ? ''
@@ -225,12 +226,26 @@
             // Drop if quoted strings not allowed.
             : ''
           )
+
           // Preserve hash color literals if allowed.

: (cc === '#'.charCodeAt(0) &&/^#(?:[0-9a-f]{3}){1,2}$/.test(token))

           ? (propBits & CSS_PROP_BIT_HASH_VALUE ? token : '')
+
+          : (
+            litGroup = propertySchema.cssLitGroup,
+            litMap = (litGroup
+                      ? (propertySchema.cssLitMap
+                         // Lazily compute the union from litGroup.

+ || (propertySchema.cssLitMap =unionArrays(litGroup)))

+                      : ALLOWED_LITERAL),  // A convenient empty object.
+            (litMap[token] === ALLOWED_LITERAL))
+          // Token is in the literal map or matches extra.
+          ? token
+
           : ('0'.charCodeAt(0) <= cc && cc <= '9'.charCodeAt(0))
           // A number starting with a digit.
           ? ((propBits & CSS_PROP_BIT_QUANTITY) ? token : '')
+

// Normalize quantities so they don't start with a '.' or '+'sign and// make sure they all have an integer component so can't beconfused

           // with a dotted identifier.
@@ -245,15 +260,18 @@
           ? ((propBits & CSS_PROP_BIT_QUANTITY)
             ? ((isnum1 ? '' : '0') + token.substring(1))
             : '')
+
           // -.5 -> -0.5 if allowed otherwise -> 0 if quantities allowed.
           : (cc === '-'.charCodeAt(0)
              && (isnum1 || (cc1 === '.'.charCodeAt(0) && isnum2)))
             ? ((propBits & CSS_PROP_BIT_NEGATIVE_QUANTITY)
                ? ((isnum1 ? '-' : '-0') + token.substring(1))
                : ((propBits & CSS_PROP_BIT_QUANTITY) ? '0' : ''))
+
           // .5 -> 0.5 if allowed.
           : (cc === '.'.charCodeAt(0) && isnum1)
           ? ((propBits & CSS_PROP_BIT_QUANTITY) ? '0' + token : '')
+
           // Handle url("...") by rewriting the body.
           : ('url(' === token.substring(0, 4))
           ? ((opt_naiveUriRewriter && (propBits & CSS_PROP_BIT_URL))
@@ -262,21 +280,13 @@
                   property,
                   opt_naiveUriRewriter))
              : '')
+
           // Handle func(...) by recursing.

// Functions start at a token like "name(" and end with a ")"taking

           // into account nesting.
           : (token.charAt(token.length-1) === '(')
           ? sanitizeFunctionCall(tokens, i)
-          : (
-            litGroup = propertySchema.cssLitGroup,
-            litMap = (litGroup
-                      ? (propertySchema.cssLitMap
-                         // Lazily compute the union from litGroup.

- || (propertySchema.cssLitMap =unionArrays(litGroup)))

-                      : ALLOWED_LITERAL),  // A convenient empty object.
-            (litMap[token] === ALLOWED_LITERAL))
-          // Token is in the literal map or matches extra.
-          ? token
+
           : (/^\w+$/.test(token)
              && stringDisposition === CSS_PROP_BIT_UNRESERVED_WORD
              && (propBits & CSS_PROP_BIT_QSTRING))
@@ -292,6 +302,7 @@
                   + ' ' + token + '"'),
                 token = '')
              : (lastQuoted = k, '"' + token + '"'))
+
           // Disallowed.
           : '');
         if (token) {
Index: tests/com/google/caja/plugin/css-stylesheet-tests.js
===================================================================
--- tests/com/google/caja/plugin/css-stylesheet-tests.js        (revision 5496)
+++ tests/com/google/caja/plugin/css-stylesheet-tests.js        (working copy)
@@ -22,6 +22,16 @@

 runCssSelectorTests([
   {
+    // font-weight is special because it only admits specific numbers
+    "test_name": "FontWeight",
+    "tests": [
+      {
+        "cssText": "p { font-weight: 100; font-weight: 150; }",
+        "golden": ".namespace__ p{font-weight:100}"
+      }
+    ]
+  },
+  {
     "test_name": "AtRules",
     "tests": [
       {


--

---You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[Caja] allow numeric font-weight in client-side css sanitizer (issue 11458044)

Reply via email to