From 135af00d37aae306951c0d36b07484b8e4dee7a1 Mon Sep 17 00:00:00 2001 From: Neha Garg Date: Mon, 7 Oct 2024 11:52:07 +0530 Subject: [PATCH] addressed review comments, removed url+javascript checks --- .../org/owasp/validator/css/CssValidator.java | 13 ++---- .../owasp/validator/css/CssValidatorTest.java | 40 ------------------- 2 files changed, 3 insertions(+), 50 deletions(-) diff --git a/src/main/java/org/owasp/validator/css/CssValidator.java b/src/main/java/org/owasp/validator/css/CssValidator.java index 49e9795..9423cb9 100644 --- a/src/main/java/org/owasp/validator/css/CssValidator.java +++ b/src/main/java/org/owasp/validator/css/CssValidator.java @@ -333,20 +333,13 @@ public String lexicalValueToString(LexicalUnit lu) { return String.valueOf(lu.getFloatValue()); case LexicalUnit.SAC_STRING_VALUE: case LexicalUnit.SAC_IDENT: - // Ensure that JavaScript URLs are not allowed + // just a string/identifier String stringValue = lu.getStringValue(); - if (stringValue == null || stringValue.toLowerCase().startsWith("javascript:")) { - return null; - } if (stringValue.indexOf(" ") != -1) stringValue = "'" + stringValue + "'"; return stringValue; case LexicalUnit.SAC_URI: - // Ensure that JavaScript URLs are not allowed - String url = lu.getStringValue(); - if (url == null || url.toLowerCase().startsWith("javascript:")) { - return null; - } - return "url(" + url + ")"; + // this is a URL + return "url(" + lu.getStringValue() + ")"; case LexicalUnit.SAC_RGBCOLOR: // this is a rgb encoded color StringBuffer sb = new StringBuffer("rgb("); diff --git a/src/test/java/org/owasp/validator/css/CssValidatorTest.java b/src/test/java/org/owasp/validator/css/CssValidatorTest.java index 42de037..28290f0 100644 --- a/src/test/java/org/owasp/validator/css/CssValidatorTest.java +++ b/src/test/java/org/owasp/validator/css/CssValidatorTest.java @@ -90,46 +90,6 @@ public void testDefaultPolicyUrlFunction() { assertEquals("url(http://example.com)", cssValidator.lexicalValueToString(urlFunc)); } - @Test - public void testDefaultPolicyUrlFunctionWithJavaScript() { - CssValidator cssValidator = new CssValidator(null); - - // Test a url function with a JavaScript URL - final CSSLexicalUnit urlParam = - CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "javascript:alert(1)", null); - final CSSLexicalUnit urlFunc = CSSLexicalUnit.createFunction("url", urlParam, null); - - // Ensure that JavaScript URLs are not allowed - assertNull(cssValidator.lexicalValueToString(urlFunc)); - } - - @Test - public void testLexicalValueToStringNestedVarsWithJavaScriptAsFallback() { - CssValidator cssValidator = new CssValidator(null); - - // Create fallback first: --ds-text-purple, #FFFFFF - final CSSLexicalUnit param = - CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "--custom-url", null); - final CSSLexicalUnit fallback = - CSSLexicalUnit.createString(LexicalUnit.SAC_STRING_VALUE, "javascript:alert(1)", null); - - // Create first var() function with fallback - final CSSLexicalUnit function = CSSLexicalUnit.createFunction("var", param, fallback); - - // Check if the output is as expected for first var() - assertNull(cssValidator.lexicalValueToString(function)); - } - - @Test - public void testSacUriWithJavaScriptUrl() { - CssValidator cssValidator = new CssValidator(null); - - // Test with a JavaScript URL, which should be blocked - final CSSLexicalUnit jsUrl = - CSSLexicalUnit.createString(LexicalUnit.SAC_URI, "javascript:alert(1)", null); - assertNull("JavaScript URL should be blocked", cssValidator.lexicalValueToString(jsUrl)); - } - @Test public void testSacUriWithValidUrl() { CssValidator cssValidator = new CssValidator(null);