[Building Sakai] More AntiSamy issues

Wed Jul 31 09:59:40 PDT 2013

Jeremy,
Where did this style come from? Was it from the RTE or pasted in from
a program or hand edited to be like this?

Quick note here on the use of points (pt) and not pixels (px). pt is
not recommended for use in on screen rendering and should be used for
print rendering only. Since style attributes cannot be limited to
print only, it would generally be discouraged to include pt sizes in
style attributes.

http://www.w3.org/Style/Examples/007/units.en.html
http://www.w3.org/TR/css3-values/

Knowing the origin of this would help us determine if this should be
fixed globally for Sakai or locally in your instance via an adjustment
to the your antisamy rules.

The rules determining this are these ones:
<regexp name="positiveLength"
value="((\+)?0|(\+)?([0-9]+(\.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))" />
<regexp name="positivePercentage" value="(\+)?([0-9]+(\.[0-9]+)?)%" />

Based on this, it has nothing to do with the fact it is a point (pt)
but rather that the number is not written according to the spec (which
is to say: .0001pt instead of 0.0001pt). Adding in the 0 in front as
per the spec should resolve the issue:
http://www.w3.org/TR/css3-values/#number
Number values are denoted by <number>. A number is either an <integer>
or zero or more decimal digits followed by a dot (.) followed by one
or more decimal digits. It corresponds to the NUMBER token in the
grammar. As with integers, the first character of a number may be
immediately preceded by ‘-’ or ‘+’ to indicate the number's sign.

>From that you can see that the preceding 0 is not optional, therefore
the HTML does not adhere to the spec and thus antisamy cleans it as
invalid. I would imagine that most browsers will handle things like
this without an issue, but antisamy tends to rigidly adhere to the
spec and as a programmer, I think that is the correct decision on
their part.

-AZ

On Wed, Jul 31, 2013 at 11:39 AM, Kusnetz, Jeremy <JKusnetz at apus.edu> wrote:
> Things we are finding that are causing us problems:
>
>
>
> Pixels are not allowed in these tags.
>
>
>
> Some results:
>
> 1. <p style=”margin-bottom:0.0in;”>hello</p>
>
> Result: Passes
>
>
>
> 2. <p style="margin-bottom:0in;margin-bottom:.0001pt;">
>
> Hello</p>
>
> Result: Alert: The p tag had a style attribute, "margin-bottom", that could
> not be allowed for security reasons.
>
> The pixel part of the code is automatically removed, leaving:
>
> <p style="margin-bottom: 0.0in;">
>
>             Hello</p>
>
>
>
> 3. <p style="margin-bottom:.0001pt;">
>
>             Hello</p>
>
>
>
> Result: Alert: The p tag had a style attribute, "margin-bottom", that could
> not be allowed for security reasons.
>
>
>
> Strips code down to:
>
> <p style="">
>
>                 Hello</p>
>
>
>
>
>
>
>
>
>
> Jeremy Kusnetz | Sr. Systems Engineer
>
>
>
> American Public University System
> American Military University  |  American Public University
> 661 S George Street, Charles Town, WV 25414
> T 304-885-5333 | M 703-967-5212 |  jkusnetz at apus.edu| www.apus.edu
>
>
>
> This message is private and confidential. If you have received it in error,
> please notify the sender and remove it from your system.
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org
> with a subject of "unsubscribe"

-- 
Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile