addressed review comments, removed url+javascript checks

nahsra · Oct 7, 2024 · 135af00 · 135af00
1 parent 0b05159
commit 135af00
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 50 deletions.
diff --git a/src/main/java/org/owasp/validator/css/CssValidator.java b/src/main/java/org/owasp/validator/css/CssValidator.java
@@ -333,20 +333,13 @@ public String lexicalValueToString(LexicalUnit lu) {
         return String.valueOf(lu.getFloatValue());
       case LexicalUnit.SAC_STRING_VALUE:
       case LexicalUnit.SAC_IDENT:
-        // Ensure that JavaScript URLs are not allowed
+        // just a string/identifier
         String stringValue = lu.getStringValue();
-        if (stringValue == null || stringValue.toLowerCase().startsWith("javascript:")) {
-          return null;
-        }
         if (stringValue.indexOf(" ") != -1) stringValue = "'" + stringValue + "'";
         return stringValue;
       case LexicalUnit.SAC_URI:
-        // Ensure that JavaScript URLs are not allowed
-        String url = lu.getStringValue();
-        if (url == null || url.toLowerCase().startsWith("javascript:")) {
-          return null;
-        }
-        return "url(" + url + ")";
+        // this is a URL
+        return "url(" + lu.getStringValue() + ")";
       case LexicalUnit.SAC_RGBCOLOR:
         // this is a rgb encoded color
         StringBuffer sb = new StringBuffer("rgb(");

diff --git a/src/test/java/org/owasp/validator/css/CssValidatorTest.java b/src/test/java/org/owasp/validator/css/CssValidatorTest.java
@@ -90,46 +90,6 @@ public void testDefaultPolicyUrlFunction() {
     assertEquals("url(http://example.com)", cssValidator.lexicalValueToString(urlFunc));
   }
 
-  @Test
-  public void testDefaultPolicyUrlFunctionWithJavaScript() {
-    CssValidator cssValidator = new CssValidator(null);
-
-    // Test a url function with a JavaScript URL
-    final CSSLexicalUnit urlParam =
-        CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "javascript:alert(1)", null);
-    final CSSLexicalUnit urlFunc = CSSLexicalUnit.createFunction("url", urlParam, null);
-
-    // Ensure that JavaScript URLs are not allowed
-    assertNull(cssValidator.lexicalValueToString(urlFunc));
-  }
-
-  @Test
-  public void testLexicalValueToStringNestedVarsWithJavaScriptAsFallback() {
-    CssValidator cssValidator = new CssValidator(null);
-
-    // Create fallback first: --ds-text-purple, #FFFFFF
-    final CSSLexicalUnit param =
-        CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "--custom-url", null);
-    final CSSLexicalUnit fallback =
-        CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "javascript:alert(1)", null);
-
-    // Create first var() function with fallback
-    final CSSLexicalUnit function = CSSLexicalUnit.createFunction("var", param, fallback);
-
-    // Check if the output is as expected for first var()
-    assertNull(cssValidator.lexicalValueToString(function));
-  }
-
-  @Test
-  public void testSacUriWithJavaScriptUrl() {
-    CssValidator cssValidator = new CssValidator(null);
-
-    // Test with a JavaScript URL, which should be blocked
-    final CSSLexicalUnit jsUrl =
-        CSSLexicalUnit.createString(LexicalUnit.SAC_URI, "javascript:alert(1)", null);
-    assertNull("JavaScript URL should be blocked", cssValidator.lexicalValueToString(jsUrl));
-  }
-
   @Test
   public void testSacUriWithValidUrl() {
     CssValidator cssValidator = new CssValidator(null);