1 // Copyright (c) 2011, Mike Samuel
2 // All rights reserved.
3 //
4 // Redistribution and use in source and binary forms, with or without
5 // modification, are permitted provided that the following conditions
6 // are met:
7 //
8 // Redistributions of source code must retain the above copyright
9 // notice, this list of conditions and the following disclaimer.
10 // Redistributions in binary form must reproduce the above copyright
11 // notice, this list of conditions and the following disclaimer in the
12 // documentation and/or other materials provided with the distribution.
13 // Neither the name of the OWASP nor the names of its contributors may
14 // be used to endorse or promote products derived from this software
15 // without specific prior written permission.
16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 // POSSIBILITY OF SUCH DAMAGE.
28 
29 package org.owasp.html;
30 
31 import javax.annotation.Nullable;
32 
33 import org.junit.Test;
34 
35 import junit.framework.TestCase;
36 
37 public class StylingPolicyTest extends TestCase {
38   @Test
testNothingToOutput()39   public static final void testNothingToOutput() {
40     assertSanitizedCss(null, "");
41     assertSanitizedCss(null, "/** no CSS here */");
42     assertSanitizedCss(null, "/* props: disabled; font-weight: bold */");
43     assertSanitizedCss(null, "position: fixed");
44     assertSanitizedCss(
45         null, "background: url('javascript:alert%281337%29')");
46   }
47 
48   @Test
testColors()49   public static final void testColors() {
50     assertSanitizedCss("color:red", "color: red");
51     assertSanitizedCss("background-color:#f00", "background-color: #f00");
52     assertSanitizedCss("background:#f00", "background: #f00");
53     assertSanitizedCss("color:#f00", "color: #F00");
54     assertSanitizedCss(null, "color: #F000");
55     assertSanitizedCss("color:#ff0000", "color: #ff0000");
56     assertSanitizedCss("color:rgb( 255 , 0 , 0 )", "color: rgb(255, 0, 0)");
57     assertSanitizedCss("background:rgb( 100% , 0 , 0 )",
58                        "background: rgb(100%, 0, 0)");
59     assertSanitizedCss(
60         "color:rgba( 100% , 0 , 0 , 100% )", "color: RGBA(100%, 0, 0, 100%)");
61     assertSanitizedCss(null, "color: transparent");
62     assertSanitizedCss(null, "color: bogus");
63     assertSanitizedCss(null, "color: expression(alert(1337))");
64     assertSanitizedCss(null, "color: 000");
65     assertSanitizedCss(null, "background-color: 000");
66     // Not colors.
67     assertSanitizedCss(null, "background: \"pwned.jpg\"");
68     assertSanitizedCss(null, "background: url(pwned.jpg)");
69     assertSanitizedCss(null, "color:#urlabc");
70     assertSanitizedCss(null, "color:#urlabcd");
71   }
72 
73   @Test
testFontWeight()74   public static final void testFontWeight() {
75     assertSanitizedCss(
76         "font-weight:bold", "font-weight: bold");
77     assertSanitizedCss(
78         "font:bold", "font: bold");
79     assertSanitizedCss(
80         "font:bolder", "font: Bolder");
81     assertSanitizedCss(
82         "font-weight:800", "font-weight: 800");
83     assertSanitizedCss(
84         null, "font-weight: expression(alert(1337))");
85     assertSanitizedCss(
86         "font:'evil'",
87         "font: 3execute evil");
88   }
89 
90   @Test
testFontStyle()91   public static final void testFontStyle() {
92     assertSanitizedCss(
93         "font-style:italic", "font-style: Italic");
94     assertSanitizedCss(
95         "font:italic", "font: italic");
96     assertSanitizedCss(
97         "font:oblique", "font: Oblique");
98     assertSanitizedCss(
99         null, "font-style: expression(alert(1337))");
100   }
101 
102   @Test
testFontFace()103   public static final void testFontFace() {
104     assertSanitizedCss(
105         "font:'arial' , 'helvetica'", "font: Arial, Helvetica");
106     assertSanitizedCss(
107         "font-family:'arial' , 'helvetica' , sans-serif",
108         "Font-family: Arial, Helvetica, sans-serif");
109     assertSanitizedCss(
110         "font-family:'monospace' , sans-serif",
111         "Font-family: \"Monospace\", Sans-serif");
112     assertSanitizedCss(
113         "font:'arial bold' , 'helvetica' , monospace",
114         "FONT: \"Arial Bold\", Helvetica, monospace");
115     assertSanitizedCss(
116         "font-family:'arial bold' , 'helvetica'",
117         "font-family: \"Arial Bold\", Helvetica");
118     assertSanitizedCss(
119         "font-family:'arial bold' , 'helvetica'",
120         "font-family: 'Arial Bold', Helvetica");
121     assertSanitizedCss(
122         "font-family:'evil'",
123         "font-family: 3execute evil");
124     assertSanitizedCss(
125         "font-family:'arial bold' , , , 'helvetica' , sans-serif",
126         "font-family: 'Arial Bold',,\"\",Helvetica,sans-serif");
127   }
128 
129   @Test
testFont()130   public static final void testFont() {
131     assertSanitizedCss(
132         "font:'arial' 12pt bold oblique",
133         "font: Arial 12pt bold oblique");
134     assertSanitizedCss(
135         "font:'times new roman' 24px bolder",
136         "font: \"Times New Roman\" 24px bolder");
137     assertSanitizedCss("font:24px", "font: 24px");
138     // Non-ascii characters discarded.
139     assertSanitizedCss(null, "font: 24ex\\pression");
140     // Harmless garbage.
141     assertSanitizedCss(
142         "font:24ex 'pression'", "font: 24ex\0pression");
143     assertSanitizedCss(
144         null, "font: expression(arial)");
145     assertSanitizedCss(
146         null, "font: rgb(\"expression(alert(1337))//\")");
147     assertSanitizedCss("font-size:smaller", "font-size: smaller");
148     assertSanitizedCss("font:smaller", "font: smaller");
149   }
150 
151   @Test
testBidiAndAlignmentAttributes()152   public static final void testBidiAndAlignmentAttributes() {
153     assertSanitizedCss(
154         "text-align:left;unicode-bidi:embed;direction:ltr",
155         "Text-align: left; Unicode-bidi: Embed; Direction: LTR;");
156     assertSanitizedCss(
157         null, "text-align:expression(left())");
158     assertSanitizedCss(null, "text-align: bogus");
159     assertSanitizedCss("unicode-bidi:embed", "unicode-bidi:embed");
160     assertSanitizedCss(null, "unicode-bidi:expression(embed)");
161     assertSanitizedCss(null, "unicode-bidi:bogus");
162     assertSanitizedCss(null, "direction:expression(ltr())");
163   }
164 
165   @Test
testTextDecoration()166   public static final void testTextDecoration() {
167     assertSanitizedCss(
168         "text-decoration:underline",
169         "Text-Decoration: Underline");
170     assertSanitizedCss(
171         "text-decoration:overline",
172         "text-decoration: overline");
173     assertSanitizedCss(
174         "text-decoration:line-through",
175         "text-decoration: line-through");
176     assertSanitizedCss(
177         null,
178         "text-decoration: expression(document.location=42)");
179   }
180 
181   @Test
testBoxProperties()182   public static final void testBoxProperties() {
183     // http://www.w3.org/TR/CSS2/box.html
184     assertSanitizedCss("height:0", "height:0");
185     assertSanitizedCss("width:0", "width:0");
186     assertSanitizedCss("width:20px", "width:20px");
187     assertSanitizedCss("width:20", "width:20");
188     assertSanitizedCss("width:100%", "width:100%");
189     assertSanitizedCss("height:6in", "height:6in");
190     assertSanitizedCss(null, "width:-20");
191     assertSanitizedCss(null, "width:url('foo')");
192     assertSanitizedCss(null, "height:6fixed");
193     assertSanitizedCss("margin:2 2 2 2", "margin:2 2 2 2");
194     assertSanitizedCss("margin:2 2 2", "margin:2 2 2");
195     assertSanitizedCss("padding:2 2", "padding:2 2");
196     assertSanitizedCss("margin:2", "margin:2");
197     assertSanitizedCss("margin:2px 4px 6px 8px", "margin:2px 4px 6px 8px");
198     assertSanitizedCss("padding:0 4px 6px", "padding:0 4px 6px");
199     assertSanitizedCss("margin:2px 4px 6px 4px", "margin:2px 4px 6px 4px");
200     assertSanitizedCss("margin:0 4px", "margin:0 4px");
201     assertSanitizedCss("margin:0 4px", "margin:0 4 px");
202     assertSanitizedCss("padding-left:4px", "padding-left:4px");
203     assertSanitizedCss("padding-left:0.4em;padding-top:2px;margin-bottom:3px",
204                        "padding-left:0.4em;padding-top:2px;margin-bottom:3px");
205     assertSanitizedCss("padding:0 1em 0.5in 1.5cm",
206                        "padding:00. 1EM +00.5 In 1.50cm");
207     // Mixed.
208     assertSanitizedCss("margin:1em;margin-top:0.25em",
209                        "margin:1em; margin-top:.25em");
210   }
211 
212   @Test
testUrls()213   public static final void testUrls() throws Exception {
214     // Test that a long URL does not blow out the stack or consume quadratic
215     // amounts of processor as when the CSS lexer was implemented as a bunch of
216     // regular expressions.
217     String longUrl = ""
218         + "background-image:url(data:image/gif;base64,"
219         + "R0lGODlhMgCaAPf/AO5ZOuRpTfXSyvro5Pz08uCEb+ShkeummPOMdPOqmdZdQvbEud1"
220         + "UNuqmlvqbhchNMfnTyvXPxu6pmtFkTeJ6Y9JxXPR8YNRSNvyunP3Mwd1zW+iCau9dPt"
221         + "BOMe69sutwVPGGbuFcPvmRefqAZuhiQ/rJv9pFJf3h2up0WttCItmBbv3r5/26q/bc1"
222         + "v3XzvHOx8tML/nf2cpAI+hfQf3GufVbOvyrmvCkk/7r5vnm4t+BbPism/apmN9DI+hN"
223         + "LrkrD/x4V98+HeFBIPt0U/x2VflaOfdwT/lzUvhYN/p2VfhWNd47Gvx5WPtyUflcO+J"
224         + "EI/VsS/FjQvRpSPtwT/tuTebm5vpmRfppSPlePeRIJ8XFxdRQNPpsS8I9IYyMjOhQL+"
225         + "xYN+ZMK/liQflgP+1dO+pUM//188RBJZGRkff39/718vFZOcA/JtVXO8VEKPvVzeuhk"
226         + "Pynk/ermsdHK/7Yz/ehjvi2p9Z4ZPre2NRDJPVkRPzz8d9NLdR1YNM2F/SkksBBKOdX"
227         + "OfaHbdhsVPFbO81cQs1UOO2HcPNTM/708dd7Zt1GJuFRMd1JKfBiQvyNcuF1XfqOd+6"
228         + "gj+SDbPuJb/re1/TUzeReP+mHce1zWeOdjthYPOaSgO2LdOyllPFzWPezpPe7rfVzVO"
229         + "6Hb/vz8f7f2eGJdOKMee54XeBiR/Z5XeNlSfyVfPJtT++ikf7i3POrnPGun9+VhOVSM"
230         + "vzo499/as1EJup5YPvUy+abi+tjRPNrS91aPfCCafyxn/SCaNVZPeu7r+B+ad1WOOuy"
231         + "pOm3rPt6W/OikPvq5vCmlt6Qf/ygivp2V/OTfPrb1eKfkP7Z0OyBaeibiuieju+ciu2"
232         + "ejeKCbOatn+2YhOFVN+eRfedWNvWplvLRyuF4Xs5kTdlOL+3Eu+1mR/zp5fzq5dVMLt"
233         + "JTOPvDtvKgjvy1pe9yVchFKeafj+WYh/nBs/HIvv3Ctd9YONdVOM5BI8pXP/jUzOqKd"
234         + "OiMd9toUN1iSONuU8HBwYmJifX19f///////yH/C1hNUCBEYXRhWE1QPD94cGFja2V0"
235         + "IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1"
236         + "wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIE"
237         + "NvcmUgNS4wLWMwNjEgNjQuMTQwOTQ5LCAyMDEwLzEyLzA3LTEwOjU3OjAxICAgICAgI"
238         + "CAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIv"
239         + "MjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB"
240         + "4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbn"
241         + "M6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZ"
242         + "VJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1w"
243         + "TU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOkEyRDgxODE2MkMyMDY4MTE4NzF"
244         + "GRDNDMzU5QkE3OTE3IiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkMzMjA1M0I4Qk"
245         + "M4RjExRTBCRDBEQkE0MTlGMTc4MDZGIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkO"
246         + "jlFQzFFMTZFQkM4RDExRTBCRDBEQkE0MTlGMTc4MDZGIiB4bXA6Q3JlYXRvclRvb2w9"
247         + "IkFkb2JlIFBob3Rvc2hvcCBDUzUuMSBNYWNpbnRvc2giPiA8eG1wTU06RGVyaXZlZEZ"
248         + "yb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDpDMjFGMUIwQjMyMjA2ODExODcxRk"
249         + "QzQzM1OUJBNzkxNyIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDpBMkQ4MTgxNjJDM"
250         + "jA2ODExODcxRkQzQzM1OUJBNzkxNyIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6"
251         + "UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PgH//v38+/r5+Pf29fT"
252         + "z8vHw7+7t7Ovq6ejn5uXk4+Lh4N/e3dzb2tnY19bV1NPS0dDPzs3My8rJyMfGxcTDws"
253         + "HAv769vLu6ubi3trW0s7KxsK+urayrqqmop6alpKOioaCfnp2cm5qZmJeWlZSTkpGQj"
254         + "46NjIuKiYiHhoWEg4KBgH9+fXx7enl4d3Z1dHNycXBvbm1sa2ppaGdmZWRjYmFgX15d"
255         + "XFtaWVhXVlVUU1JRUE9OTUxLSklIR0ZFRENCQUA/Pj08Ozo5ODc2NTQzMjEwLy4tLCs"
256         + "qKSgnJiUkIyIhIB8eHRwbGhkYFxYVFBMSERAPDg0MCwoJCAcGBQQDAgEAACH5BAEAAP"
257         + "8ALAAAAAAyAJoAAAj/AP+h8EGwoMGDCBMqXOgDxb8ZUphInEixosWLGDMykTLDB5CPI"
258         + "EOKHEmypEmQBImoXMmypcuXMGOuJDikps2bOHPq3MnTJsEmQJv4G0rUX9CjSJMqXXqU"
259         + "4JSnRaM+nWKMxtBXy6Y8gvZoqtevYL8SpEK2KJWiCsjSMIPNlCUC6lj5u7eLrN27ePO"
260         + "SJcilb1EuaPvSQaZBnAUJGkT487DCTBwulOj4M8OCSxw6vvwxYzH5cV8uBK+IHiq69F"
261         + "Bgoh0MPcHCAgnF7+zFIKArw4kAufxFw+AvBixiODo18IeqNEEryItaKdoGuRUEHgj4I"
262         + "6Aqkr8CIeT422QF0wEX13f4/xvEi1y9A9ob6EF+PDnR5USbW8EQydElaf4aWC/giHcb"
263         + "eGbYkcB12rWhhxkCSJBAAgXMwJ4PYkQYVVEXRIgDHp+IMYI/7Rzijw4c2ODPBf4kIw8"
264         + "1H/IwohgZCJDKBxAcwkGEBI1h4xgTjniBjSMMQBQuF4DwYYgjpuMPBKX4c4qKO44wzl"
265         + "AlDMOBjQRhYaWVW2Sp5RZXYkEIJLUosAUDWACwBQBYBMLlLfgwwMCZalr5pQZbZHMlQ"
266         + "U7kqeeefOq5BgA19LnnGoEK6sQaa+xJUBGMNuroo5BGKumkjRKExKWYZqrpppx26imm"
267         + "PsyAiBKklmrqqaimquqqSiAyw0MMxf8q66yv/lPID7jmquuuvPbq668/FPIPGyGcZOy"
268         + "xyIbAxg9JNOvss9BGK+201DqL6xHYZqvtttx26+232eJqxLjklmvuueimqy65uELhLh"
269         + "Q5vivvvPTWa6+8uEqhb45D6SuFKOes5oAUgrggiL8IJ6xwwrhG4bBZRRnisDtqaKNCN"
270         + "wQEgMB1Mzjs8ccgh+xwww8TBRhREkfxxgCDXIJCA4NsHAw5atQRxS9v+KOGHVHU8YZ4"
271         + "rdihs80e40rG0aSVdsVQDxzdzFB4gPLBMKP4E441LewRTwmVKCCLP95w408LnlwzziQ"
272         + "G+KPP0WTgCsbbyhUFw9tgbFAMKf7s8YGQimz/cYM/cwtjAAT+KPL3BB0MIIABfz+zzd"
273         + "u4liF53ETNIfkfvTBSjjL+aBKNP3cw8oc/c4SSSCxwgO4K6bMk8gI7cMBxBziS4/rF7"
274         + "fz648bttLSwyheZ+KMMBf70wccxuvszzTqcFC+J7l8s8II5+URAAR+34xrG9mHkeMYZ"
275         + "23+QA1ERnEF8H42g488ZsPgTgTP+qFDN+mGIP9QCtjSyPa5Z9N9/FwAMYBf8l4VFTKA"
276         + "CD+iCDLJggi6YIAt5GCA+6CEDGTgwgv0z4De6MA//4eoJIAyhCEcYwhSkoAckFOEJUw"
277         + "hCE4oQV0KIoQxnSMMa2vCGOJQhroLAwx768IdADKIQ/4fYwx8Awg9LSKISl8jEJjrxi"
278         + "VBcgh8AMSxgWfGKWGTDP/6hhX148YtgDKMYx0jGMu5DC1zsR+7WyMY2FqUfXXSjHOc4"
279         + "IS/S8Y5ztCMe97hGPfLxj1HxIyAHKchB/rGQhtwjIhN5x0UyMo/7eOQhIylJRVKyko2"
280         + "8JCYhuclMdpKOjvxkjkIpykBqspS5IyUqh6LKVbYSla8sZSxFOctP1rKTt9xkLjG5y0"
281         + "r2UpJnTMMqc5cGNHbRjGVU4xuRSUY0bvGZ0IymNLe4D2X6ox/7mKY2t8lNblbzmtnsp"
282         + "jjHuc1IhpOc6EznP86pzmiigR/wjKc850nPetrznvxAwz+8UP+FfvjznwANqEAHStCC"
283         + "9qMKXuCHQRfK0Ib6E54OjahE/wnRiVqUoRW9qEYHmtGNevShCv2oSDsqUo2StKQWPSl"
284         + "KJarSlTq0pS7FaEhjOlGY0rSgNr0pR2eq04bmtKcA/SlQQTpUn/K0qAQV6lCVClSm9t"
285         + "SpOoXqTaVKU6rG1KouxepKtYpSfvATqQVF6D7xic9+ArQKZLWnF9oZTX6Y9aD8YKtc2"
286         + "9pPtM71rs90a1zxyte98vWZx2SmYL/oTHRqwZqPhGM6T/lIdoqTsYx0bDchm0jJehOX"
287         + "i8UsOb+py80i1pfj5KxmvflZXoa2tMD0rC3RKVrQsna0oYXtY2U7WdplclMLwqxkMdU"
288         + "Z2MEKtrDofGdahytPfabzqzEVKzqPutV0Mrerzo1qdKc63aou961XJadbnzrO7XK3m9"
289         + "79Lnixa93ukjer15XuctWrXfZ2173ifG5J/TpO5LpUuehMKHH3u1ZxBgQAOw==);";
290     assertSanitizedCss(null, longUrl);
291   }
292 
assertSanitizedCss( @ullable String expectedCss, String css)293   private static void assertSanitizedCss(
294       @Nullable String expectedCss, String css) {
295     StylingPolicy stylingPolicy = new StylingPolicy(CssSchema.DEFAULT);
296     assertEquals(expectedCss, stylingPolicy.sanitizeCssProperties(css));
297   }
298 }
299