[Caja] [google-caja] r5497 committed - allow numeric font-weight in client-side css sanitizer...

Wed, 17 Jul 2013 15:11:06 -0700 

Revision: 5497
Author:   [email protected]
Date:     Wed Jul 17 15:09:45 2013
Log:      allow numeric font-weight in client-side css sanitizer
https://codereview.appspot.com/11458044

font-weight is special because the allowed value list includes things
that look like numbers. The client-side css parser applies numeric value
checks before literal value checks, so font-weight:200 is always elided.

This fixes that by moving the literal value check before the numeric
value check.

This fixes
https://code.google.com/p/google-caja/issues/detail?id=1771

R=mikesamuel


http://code.google.com/p/google-caja/source/detail?r=5497

Modified:
 /trunk/src/com/google/caja/plugin/sanitizecss.js
 /trunk/tests/com/google/caja/plugin/css-stylesheet-tests.js

=======================================
--- /trunk/src/com/google/caja/plugin/sanitizecss.js Mon Jul 15 14:11:53 2013 +++ /trunk/src/com/google/caja/plugin/sanitizecss.js Wed Jul 17 15:09:45 2013 
@@ -199,6 +199,7 @@
         var cc = token.charCodeAt(0), cc1, cc2, isnum1, isnum2, end;
         var litGroup, litMap;
         token = (
+
           // Strip out spaces.  Normally cssparser.js dumps these, but we
// strip them out in case the content doesn't come via cssparser.js. 
           (cc === ' '.charCodeAt(0)) ? ''
@@ -225,12 +226,26 @@
             // Drop if quoted strings not allowed.
             : ''
           )
+
           // Preserve hash color literals if allowed.
: (cc === '#'.charCodeAt(0) && /^#(?:[0-9a-f]{3}){1,2}$/.test(token)) 
           ? (propBits & CSS_PROP_BIT_HASH_VALUE ? token : '')
+
+          : (
+            litGroup = propertySchema.cssLitGroup,
+            litMap = (litGroup
+                      ? (propertySchema.cssLitMap
+                         // Lazily compute the union from litGroup.
+ || (propertySchema.cssLitMap = unionArrays(litGroup))) 
+                      : ALLOWED_LITERAL),  // A convenient empty object.
+            (litMap[token] === ALLOWED_LITERAL))
+          // Token is in the literal map or matches extra.
+          ? token
+
           : ('0'.charCodeAt(0) <= cc && cc <= '9'.charCodeAt(0))
           // A number starting with a digit.
           ? ((propBits & CSS_PROP_BIT_QUANTITY) ? token : '')
+
// Normalize quantities so they don't start with a '.' or '+' sign and // make sure they all have an integer component so can't be confused 
           // with a dotted identifier.
@@ -245,15 +260,18 @@
           ? ((propBits & CSS_PROP_BIT_QUANTITY)
             ? ((isnum1 ? '' : '0') + token.substring(1))
             : '')
+
           // -.5 -> -0.5 if allowed otherwise -> 0 if quantities allowed.
           : (cc === '-'.charCodeAt(0)
              && (isnum1 || (cc1 === '.'.charCodeAt(0) && isnum2)))
             ? ((propBits & CSS_PROP_BIT_NEGATIVE_QUANTITY)
                ? ((isnum1 ? '-' : '-0') + token.substring(1))
                : ((propBits & CSS_PROP_BIT_QUANTITY) ? '0' : ''))
+
           // .5 -> 0.5 if allowed.
           : (cc === '.'.charCodeAt(0) && isnum1)
           ? ((propBits & CSS_PROP_BIT_QUANTITY) ? '0' + token : '')
+
           // Handle url("...") by rewriting the body.
           : ('url(' === token.substring(0, 4))
           ? ((opt_naiveUriRewriter && (propBits & CSS_PROP_BIT_URL))
@@ -262,21 +280,13 @@
                   property,
                   opt_naiveUriRewriter))
              : '')
+
           // Handle func(...) by recursing.
// Functions start at a token like "name(" and end with a ")" taking 
           // into account nesting.
           : (token.charAt(token.length-1) === '(')
           ? sanitizeFunctionCall(tokens, i)
-          : (
-            litGroup = propertySchema.cssLitGroup,
-            litMap = (litGroup
-                      ? (propertySchema.cssLitMap
-                         // Lazily compute the union from litGroup.
- || (propertySchema.cssLitMap = unionArrays(litGroup))) 
-                      : ALLOWED_LITERAL),  // A convenient empty object.
-            (litMap[token] === ALLOWED_LITERAL))
-          // Token is in the literal map or matches extra.
-          ? token
+
           : (/^\w+$/.test(token)
              && stringDisposition === CSS_PROP_BIT_UNRESERVED_WORD
              && (propBits & CSS_PROP_BIT_QSTRING))
@@ -292,6 +302,7 @@
                   + ' ' + token + '"'),
                 token = '')
              : (lastQuoted = k, '"' + token + '"'))
+
           // Disallowed.
           : '');
         if (token) {
=======================================
--- /trunk/tests/com/google/caja/plugin/css-stylesheet-tests.js Mon Jul 15 13:10:17 2013 +++ /trunk/tests/com/google/caja/plugin/css-stylesheet-tests.js Wed Jul 17 15:09:45 2013 
@@ -21,6 +21,16 @@
  */

 runCssSelectorTests([
+  {
+    // font-weight is special because it only admits specific numbers
+    "test_name": "FontWeight",
+    "tests": [
+      {
+        "cssText": "p { font-weight: 100; font-weight: 150; }",
+        "golden": ".namespace__ p{font-weight:100}"
+      }
+    ]
+  },
   {
     "test_name": "AtRules",
     "tests": [

--
--- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to