From d3cbb3dab0605f3893a28a6ed71519d226a80dab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Passaro?= Date: Mon, 1 Jan 2024 22:08:18 -0300 Subject: [PATCH 1/5] Add tests for updates on neko-htmlunit New tests for "bang comments" and update a CDATA parsing test to adapt to new parsing behavior. --- pom.xml | 2 +- .../validator/html/test/AntiSamyTest.java | 33 +++++++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index c5392a9..767c236 100644 --- a/pom.xml +++ b/pom.xml @@ -94,7 +94,7 @@ org.htmlunit neko-htmlunit - 3.9.0 + 3.10.0 org.apache.httpcomponents.client5 diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java index f73e1cc..21aa664 100644 --- a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java +++ b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java @@ -1307,8 +1307,8 @@ public void CDATAByPass() throws ScanException, PolicyException { assertTrue(crd.getErrorMessages().size() > 0); assertTrue(crs.getErrorMessages().size() > 0); - assertTrue(crSax.contains("<script") && !crDom.contains("--!>
  • -->

    ", revised, AntiSamy.DOM) + .getCleanHTML(), + not(containsString("mxss"))); + assertThat( + as.scan("
  • -->

    ", revised, AntiSamy.SAX) + .getCleanHTML(), + not(containsString("mxss"))); + assertThat( + as.scan( + "
  • -->

    ", + revised, + AntiSamy.DOM) + .getCleanHTML(), + not(containsString("mxss"))); + assertThat( + as.scan( + "
  • -->

    ", + revised, + AntiSamy.SAX) + .getCleanHTML(), + not(containsString("mxss"))); + } } From 6e4ad4396bd22e85ae3e92c00b5e6c1c04681dd3 Mon Sep 17 00:00:00 2001 From: Ronald Brill Date: Sun, 7 Jan 2024 11:45:23 +0100 Subject: [PATCH 2/5] adjust for the latest neko snapshot - use getter because the fields are no longer public --- .../validator/html/scan/MagicSAXFilter.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java index ae0ca48..273a5c0 100644 --- a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java +++ b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java @@ -166,7 +166,7 @@ public void endElement(QName element, Augmentations augs) throws XNIException { // if encoding this element, insert closing tag: super.characters will encode the string // buffer operations.pop(); - super.characters(makeEndTag(element.rawname), augs); + super.characters(makeEndTag(element.getRawname()), augs); } else if (Ops.CSS == topOp) { operations.pop(); // now scan the CSS. @@ -242,7 +242,7 @@ public void endCDATA(Augmentations augs) throws XNIException { public void startElement(QName element, XMLAttributes attributes, Augmentations augs) throws XNIException { // see if we have a policy for this tag. - String tagNameLowerCase = element.localpart.toLowerCase(); + String tagNameLowerCase = element.getLocalpart().toLowerCase(); Tag tag = policy.getTagByLowercaseName(tagNameLowerCase); /* @@ -275,22 +275,22 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations this.operations.push(Ops.REMOVE); } else if ((tag == null && policy.isEncodeUnknownTag()) || (tag != null && tag.isAction(Policy.ACTION_ENCODE))) { - String name = "<" + element.localpart + ">"; + String name = "<" + element.getLocalpart() + ">"; super.characters(new XMLString(name.toCharArray(), 0, name.length()), augs); this.operations.push(Ops.ENCODE); } else if (tag == null) { addError( ErrorMessageUtil.ERROR_TAG_NOT_IN_POLICY, - new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.localpart)}); + new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.getLocalpart())}); this.operations.push(Ops.FILTER); } else if (tag.isAction(Policy.ACTION_FILTER)) { addError( ErrorMessageUtil.ERROR_TAG_FILTERED, - new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.localpart)}); + new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.getLocalpart())}); this.operations.push(Ops.FILTER); } else if (tag.isAction("validate")) { - boolean isStyle = "style".endsWith(element.localpart); + boolean isStyle = "style".endsWith(element.getLocalpart()); // validate all attributes, we need to do this now to find out // how to deal with the element @@ -313,14 +313,14 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations if ("style".equalsIgnoreCase(name)) { CssScanner styleScanner = makeCssScanner(); try { - CleanResults cr = styleScanner.scanInlineStyle(value, element.localpart, maxInputSize); + CleanResults cr = styleScanner.scanInlineStyle(value, element.getLocalpart(), maxInputSize); attributes.setValue(i, cr.getCleanHTML()); validattributes.addAttribute(makeSimpleQname(name), "CDATA", cr.getCleanHTML()); errorMessages.addAll(cr.getErrorMessages()); } catch (ScanException e) { addError( ErrorMessageUtil.ERROR_CSS_ATTRIBUTE_MALFORMED, - new Object[] {element.localpart, HTMLEntityEncoder.htmlEntityEncode(value)}); + new Object[] {element.getLocalpart(), HTMLEntityEncoder.htmlEntityEncode(value)}); } } else if (attribute != null) { // validate the values against the policy @@ -378,7 +378,7 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations addError( ErrorMessageUtil.ERROR_ATTRIBUTE_NOT_IN_POLICY, new Object[] { - element.localpart, + element.getLocalpart(), HTMLEntityEncoder.htmlEntityEncode(name), HTMLEntityEncoder.htmlEntityEncode(value) }); @@ -399,7 +399,7 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations this.operations.push(Ops.FILTER); } else { - if ("a".equals(element.localpart)) { + if ("a".equals(element.getLocalpart())) { boolean addNofollow = isNofollowAnchors; boolean addNoopenerAndNoreferrer = false; @@ -447,7 +447,7 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations // no options left, so the tag will be removed addError( ErrorMessageUtil.ERROR_TAG_DISALLOWED, - new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.localpart)}); + new Object[] {HTMLEntityEncoder.htmlEntityEncode(element.getLocalpart())}); this.operations.push(Ops.REMOVE); } // now we know exactly what to do, let's do it From 699bc7c7105b856b15db7d65a30741c92c840faa Mon Sep 17 00:00:00 2001 From: Ronald Brill Date: Sun, 7 Jan 2024 11:48:45 +0100 Subject: [PATCH 3/5] add @Override --- .../java/org/owasp/validator/css/CssHandler.java | 15 +++++++++++++++ .../java/org/owasp/validator/css/CssParser.java | 1 + .../org/owasp/validator/html/CleanResults.java | 1 + .../java/org/owasp/validator/html/Policy.java | 4 ++++ .../java/org/owasp/validator/html/model/Tag.java | 1 + .../validator/html/scan/ASHTMLSerializer.java | 2 ++ .../validator/html/scan/AntiSamyDOMScanner.java | 1 + .../validator/html/scan/AntiSamySAXScanner.java | 1 + .../owasp/validator/html/scan/MagicSAXFilter.java | 9 +++++++++ .../owasp/validator/html/test/LiteralTest.java | 1 + .../org/owasp/validator/html/test/TestPolicy.java | 1 + 11 files changed, 37 insertions(+) diff --git a/src/main/java/org/owasp/validator/css/CssHandler.java b/src/main/java/org/owasp/validator/css/CssHandler.java index 381402d..7be3875 100644 --- a/src/main/java/org/owasp/validator/css/CssHandler.java +++ b/src/main/java/org/owasp/validator/css/CssHandler.java @@ -171,6 +171,7 @@ public Collection getErrorMessages() { * * @see org.w3c.css.sac.DocumentHandler#comment(java.lang.String) */ + @Override public void comment(String text) throws CSSException { errorMessages.add( ErrorMessageUtil.getMessage( @@ -184,6 +185,7 @@ public void comment(String text) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#ignorableAtRule(java.lang.String) */ + @Override public void ignorableAtRule(String atRule) throws CSSException { // this method is called when the parser hits an unrecognized @-rule. Like the page/media/font // declarations, this is CSS2+ stuff @@ -211,6 +213,7 @@ public void ignorableAtRule(String atRule) throws CSSException { * @see org.w3c.css.sac.DocumentHandler#importStyle(java.lang.String, * org.w3c.css.sac.SACMediaList, java.lang.String) */ + @Override public void importStyle(String uri, SACMediaList media, String defaultNamespaceURI) throws CSSException { @@ -292,6 +295,7 @@ public void importStyle(String uri, SACMediaList media, String defaultNamespaceU * @see org.w3c.css.sac.DocumentHandler#namespaceDeclaration(java.lang.String, * java.lang.String) */ + @Override public void namespaceDeclaration(String prefix, String uri) throws CSSException { // CSS3 - Namespace declaration - ignore for now } @@ -301,6 +305,7 @@ public void namespaceDeclaration(String prefix, String uri) throws CSSException * * @see org.w3c.css.sac.DocumentHandler#startDocument(org.w3c.css.sac.InputSource) */ + @Override public void startDocument(InputSource arg0) throws CSSException { // no-op } @@ -310,6 +315,7 @@ public void startDocument(InputSource arg0) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#endDocument(org.w3c.css.sac.InputSource) */ + @Override public void endDocument(InputSource source) throws CSSException { // no-op } @@ -319,6 +325,7 @@ public void endDocument(InputSource source) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#startFontFace() */ + @Override public void startFontFace() throws CSSException { // CSS2 Font Face declaration - ignore this for now } @@ -328,6 +335,7 @@ public void startFontFace() throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#endFontFace() */ + @Override public void endFontFace() throws CSSException { // CSS2 Font Face declaration - ignore this for now } @@ -337,6 +345,7 @@ public void endFontFace() throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#startMedia(org.w3c.css.sac.SACMediaList) */ + @Override public void startMedia(SACMediaList media) throws CSSException { // CSS2 Media declaration - ignore this for now } @@ -346,6 +355,7 @@ public void startMedia(SACMediaList media) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#endMedia(org.w3c.css.sac.SACMediaList) */ + @Override public void endMedia(SACMediaList media) throws CSSException { // CSS2 Media declaration - ignore this for now } @@ -356,6 +366,7 @@ public void endMedia(SACMediaList media) throws CSSException { * @see org.w3c.css.sac.DocumentHandler#startPage(java.lang.String, * java.lang.String) */ + @Override public void startPage(String name, String pseudoPage) throws CSSException { // CSS2 Page declaration - ignore this for now } @@ -366,6 +377,7 @@ public void startPage(String name, String pseudoPage) throws CSSException { * @see org.w3c.css.sac.DocumentHandler#endPage(java.lang.String, * java.lang.String) */ + @Override public void endPage(String name, String pseudoPage) throws CSSException { // CSS2 Page declaration - ignore this for now } @@ -375,6 +387,7 @@ public void endPage(String name, String pseudoPage) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#startSelector(org.w3c.css.sac.SelectorList) */ + @Override public void startSelector(SelectorList selectors) throws CSSException { // keep track of number of valid selectors from this rule @@ -455,6 +468,7 @@ public void startSelector(SelectorList selectors) throws CSSException { * * @see org.w3c.css.sac.DocumentHandler#endSelector(org.w3c.css.sac.SelectorList) */ + @Override public void endSelector(SelectorList selectors) throws CSSException { // if we are in a state within a selector, close brace if (selectorOpen) { @@ -472,6 +486,7 @@ public void endSelector(SelectorList selectors) throws CSSException { * @see org.w3c.css.sac.DocumentHandler#property(java.lang.String, * org.w3c.css.sac.LexicalUnit, boolean) */ + @Override public void property(String name, LexicalUnit value, boolean important) throws CSSException { // only bother validating and building if we are either inline or within a selector tag diff --git a/src/main/java/org/owasp/validator/css/CssParser.java b/src/main/java/org/owasp/validator/css/CssParser.java index dd13ee8..2ae2f63 100644 --- a/src/main/java/org/owasp/validator/css/CssParser.java +++ b/src/main/java/org/owasp/validator/css/CssParser.java @@ -41,6 +41,7 @@ public class CssParser extends org.apache.batik.css.parser.Parser { * @param inSheet Specifies if the style to parse is inside a sheet or the sheet itself. * @throws CSSException Thrown if there are parsing errors in CSS */ + @Override protected void parseStyleDeclaration(final boolean inSheet) throws CSSException { boolean leadingDash = false; for (;;) { diff --git a/src/main/java/org/owasp/validator/html/CleanResults.java b/src/main/java/org/owasp/validator/html/CleanResults.java index ed7f537..fad145a 100644 --- a/src/main/java/org/owasp/validator/html/CleanResults.java +++ b/src/main/java/org/owasp/validator/html/CleanResults.java @@ -98,6 +98,7 @@ public CleanResults( this( startOfScan, new Callable() { + @Override public String call() throws Exception { return cleanHTML; } diff --git a/src/main/java/org/owasp/validator/html/Policy.java b/src/main/java/org/owasp/validator/html/Policy.java index e700cff..92a4fdd 100644 --- a/src/main/java/org/owasp/validator/html/Policy.java +++ b/src/main/java/org/owasp/validator/html/Policy.java @@ -1070,19 +1070,23 @@ private static Iterable getByTagName(Element parent, String tagName) { final NodeList nodes = parent.getElementsByTagName(tagName); return new Iterable() { + @Override public Iterator iterator() { return new Iterator() { int pos = 0; int len = nodes.getLength(); + @Override public boolean hasNext() { return pos < len; } + @Override public Element next() { return (Element) nodes.item(pos++); } + @Override public void remove() { throw new UnsupportedOperationException("Cant remove"); } diff --git a/src/main/java/org/owasp/validator/html/model/Tag.java b/src/main/java/org/owasp/validator/html/model/Tag.java index fef0af6..0a918f2 100644 --- a/src/main/java/org/owasp/validator/html/model/Tag.java +++ b/src/main/java/org/owasp/validator/html/model/Tag.java @@ -97,6 +97,7 @@ public String getRegularExpression() { Collections.sort( values, new Comparator() { + @Override public int compare(Attribute o1, Attribute o2) { return o1.getName().compareTo(o2.getName()); } diff --git a/src/main/java/org/owasp/validator/html/scan/ASHTMLSerializer.java b/src/main/java/org/owasp/validator/html/scan/ASHTMLSerializer.java index d1263d5..104f66a 100644 --- a/src/main/java/org/owasp/validator/html/scan/ASHTMLSerializer.java +++ b/src/main/java/org/owasp/validator/html/scan/ASHTMLSerializer.java @@ -20,12 +20,14 @@ public ASHTMLSerializer(Writer w, OutputFormat format, InternalPolicy policy) { this.encodeAllPossibleEntities = policy.isEntityEncodeIntlCharacters(); } + @Override protected String getEntityRef(int charToPrint) { if (encodeAllPossibleEntities || Constants.big5CharsToEncode.indexOf(charToPrint) != -1) return super.getEntityRef(charToPrint); return null; } + @Override public void endElementIO(String namespaceURI, String localName, String rawName) throws IOException { diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java index cd4c679..ca75486 100644 --- a/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java +++ b/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java @@ -200,6 +200,7 @@ public CleanResults scan(String html) throws ScanException { Callable cleanHtml = new Callable() { + @Override public String call() throws Exception { return trimmed; } diff --git a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java index bd9af8c..352bc50 100644 --- a/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java +++ b/src/main/java/org/owasp/validator/html/scan/AntiSamySAXScanner.java @@ -182,6 +182,7 @@ public CleanResults scan(String html, Policy policy) throws ScanException { final String tainted = html; Callable cleanCallable = new Callable() { + @Override public String call() throws Exception { return trim(tainted, out.toString()); } diff --git a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java index 273a5c0..2b3a115 100644 --- a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java +++ b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java @@ -98,6 +98,7 @@ public void reset(InternalPolicy instance) { inCdata = false; } + @Override public void characters(XMLString text, Augmentations augs) throws XNIException { Ops topOp = peekTop(); @@ -121,6 +122,7 @@ public void characters(XMLString text, Augmentations augs) throws XNIException { private static final Pattern conditionalDirectives = Pattern.compile("?"); + @Override public void comment(XMLString text, Augmentations augs) throws XNIException { if (preserveComments) { @@ -134,11 +136,13 @@ public void comment(XMLString text, Augmentations augs) throws XNIException { } } + @Override public void doctypeDecl(String root, String publicId, String systemId, Augmentations augs) throws XNIException { // user supplied doctypes are ignored } + @Override public void emptyElement(QName element, XMLAttributes attributes, Augmentations augs) throws XNIException { this.startElement(element, attributes, augs); @@ -154,6 +158,7 @@ private XMLString makeEndTag(String tagName) { return new XMLString(endTag.toCharArray(), 0, endTag.length()); } + @Override public void endElement(QName element, Augmentations augs) throws XNIException { Ops topOp = peekTop(); if (Ops.REMOVE == topOp) { @@ -224,21 +229,25 @@ private CssScanner makeCssScanner() { return cssScanner; } + @Override public void processingInstruction(String target, XMLString data, Augmentations augs) throws XNIException { // processing instructions are being removed } + @Override public void startCDATA(Augmentations augs) throws XNIException { inCdata = true; super.startCDATA(augs); } + @Override public void endCDATA(Augmentations augs) throws XNIException { inCdata = false; super.endCDATA(augs); } + @Override public void startElement(QName element, XMLAttributes attributes, Augmentations augs) throws XNIException { // see if we have a policy for this tag. diff --git a/src/test/java/org/owasp/validator/html/test/LiteralTest.java b/src/test/java/org/owasp/validator/html/test/LiteralTest.java index 60aa5f4..7f15462 100644 --- a/src/test/java/org/owasp/validator/html/test/LiteralTest.java +++ b/src/test/java/org/owasp/validator/html/test/LiteralTest.java @@ -43,6 +43,7 @@ public class LiteralTest extends TestCase { private Policy policy = null; + @Override protected void setUp() throws Exception { /* diff --git a/src/test/java/org/owasp/validator/html/test/TestPolicy.java b/src/test/java/org/owasp/validator/html/test/TestPolicy.java index 6288030..e260878 100644 --- a/src/test/java/org/owasp/validator/html/test/TestPolicy.java +++ b/src/test/java/org/owasp/validator/html/test/TestPolicy.java @@ -74,6 +74,7 @@ public static TestPolicy getInstance(URL url) throws PolicyException { return new TestPolicy(getParseContext(getTopLevelElement(url), url)); } + @Override public TestPolicy cloneWithDirective(String name, String value) { Map directives = new HashMap(this.directives); directives.put(name, value); From 968f65b8f614e9545c3bca36158a83cc02675c96 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 8 Jan 2024 11:23:03 -0500 Subject: [PATCH 4/5] Apply formatting changes to two source files and add -SNAPSHOT to htmlunit import. --- pom.xml | 2 +- .../org/owasp/validator/css/CssParser.java | 107 +++++++++--------- .../validator/html/scan/MagicSAXFilter.java | 3 +- 3 files changed, 57 insertions(+), 55 deletions(-) diff --git a/pom.xml b/pom.xml index 767c236..ec12cd7 100644 --- a/pom.xml +++ b/pom.xml @@ -94,7 +94,7 @@ org.htmlunit neko-htmlunit - 3.10.0 + 3.10.0-SNAPSHOT org.apache.httpcomponents.client5 diff --git a/src/main/java/org/owasp/validator/css/CssParser.java b/src/main/java/org/owasp/validator/css/CssParser.java index 2ae2f63..832f6c9 100644 --- a/src/main/java/org/owasp/validator/css/CssParser.java +++ b/src/main/java/org/owasp/validator/css/CssParser.java @@ -35,64 +35,65 @@ public class CssParser extends org.apache.batik.css.parser.Parser { - /** - * This implementation is a workaround to solve leading dash errors on property names. - * @see https://issues.apache.org/jira/browse/BATIK-1112 - * @param inSheet Specifies if the style to parse is inside a sheet or the sheet itself. - * @throws CSSException Thrown if there are parsing errors in CSS - */ - @Override - protected void parseStyleDeclaration(final boolean inSheet) throws CSSException { - boolean leadingDash = false; - for (;;) { - switch (current) { - case LexicalUnits.EOF: - if (inSheet) { - throw createCSSParseException("eof"); - } - return; - case LexicalUnits.RIGHT_CURLY_BRACE: - if (!inSheet) { - throw createCSSParseException("eof.expected"); - } - nextIgnoreSpaces(); - return; - case LexicalUnits.SEMI_COLON: - nextIgnoreSpaces(); - continue; - case LexicalUnits.MINUS: - leadingDash = true; - next(); - break; - default: - throw createCSSParseException("identifier"); - case LexicalUnits.IDENTIFIER: - } + /** + * This implementation is a workaround to solve leading dash errors on property names. + * + * @see https://issues.apache.org/jira/browse/BATIK-1112 + * @param inSheet Specifies if the style to parse is inside a sheet or the sheet itself. + * @throws CSSException Thrown if there are parsing errors in CSS + */ + @Override + protected void parseStyleDeclaration(final boolean inSheet) throws CSSException { + boolean leadingDash = false; + for (; ; ) { + switch (current) { + case LexicalUnits.EOF: + if (inSheet) { + throw createCSSParseException("eof"); + } + return; + case LexicalUnits.RIGHT_CURLY_BRACE: + if (!inSheet) { + throw createCSSParseException("eof.expected"); + } + nextIgnoreSpaces(); + return; + case LexicalUnits.SEMI_COLON: + nextIgnoreSpaces(); + continue; + case LexicalUnits.MINUS: + leadingDash = true; + next(); + break; + default: + throw createCSSParseException("identifier"); + case LexicalUnits.IDENTIFIER: + } - final String name = (leadingDash ? "-" : "") + scanner.getStringValue(); - leadingDash = false; + final String name = (leadingDash ? "-" : "") + scanner.getStringValue(); + leadingDash = false; - if (nextIgnoreSpaces() != LexicalUnits.COLON) { - throw createCSSParseException("colon"); - } - nextIgnoreSpaces(); + if (nextIgnoreSpaces() != LexicalUnits.COLON) { + throw createCSSParseException("colon"); + } + nextIgnoreSpaces(); - LexicalUnit exp = null; + LexicalUnit exp = null; - try { - exp = parseExpression(false); - } catch (final CSSParseException e) { - reportError(e); - } + try { + exp = parseExpression(false); + } catch (final CSSParseException e) { + reportError(e); + } - if (exp != null) { - boolean important = false; - if (current == LexicalUnits.IMPORTANT_SYMBOL) { - important = true; - nextIgnoreSpaces(); - } - documentHandler.property(name, exp, important); - } + if (exp != null) { + boolean important = false; + if (current == LexicalUnits.IMPORTANT_SYMBOL) { + important = true; + nextIgnoreSpaces(); } + documentHandler.property(name, exp, important); + } } + } } diff --git a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java index 2b3a115..5fe4660 100644 --- a/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java +++ b/src/main/java/org/owasp/validator/html/scan/MagicSAXFilter.java @@ -322,7 +322,8 @@ public void startElement(QName element, XMLAttributes attributes, Augmentations if ("style".equalsIgnoreCase(name)) { CssScanner styleScanner = makeCssScanner(); try { - CleanResults cr = styleScanner.scanInlineStyle(value, element.getLocalpart(), maxInputSize); + CleanResults cr = + styleScanner.scanInlineStyle(value, element.getLocalpart(), maxInputSize); attributes.setValue(i, cr.getCleanHTML()); validattributes.addAttribute(makeSimpleQname(name), "CDATA", cr.getCleanHTML()); errorMessages.addAll(cr.getErrorMessages()); From 5268923b8f16914bbab4573149a6c08091a464bb Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 15 Jan 2024 10:50:45 -0500 Subject: [PATCH 5/5] Upgrade a few dependencies. --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index ec12cd7..849dd8f 100644 --- a/pom.xml +++ b/pom.xml @@ -76,8 +76,8 @@ 2023-12-18T21:08:34Z 1.8 1.12.0 - 2.0.9 - 4.8.2.0 + 2.0.11 + 4.8.3.0 4.8.3 @@ -94,7 +94,7 @@ org.htmlunit neko-htmlunit - 3.10.0-SNAPSHOT + 3.10.0 org.apache.httpcomponents.client5 @@ -407,7 +407,7 @@ org.apache.maven.plugins maven-jxr-plugin - 3.3.1 + 3.3.2 org.apache.maven.plugins @@ -455,7 +455,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.3 + 3.2.5 org.codehaus.mojo