public VisitStatus visit(Gadget gadget, Node node) throws RewritingException { if (node.getNodeType() == Node.ELEMENT_NODE && "style".equalsIgnoreCase(node.getNodeName())) { cssSanitizer.sanitize((Element) node, gadget.getSpec().getUrl(), gadget.getContext(), cssImportRewriter, imageRewriter); return VisitStatus.MODIFY; } return VisitStatus.BYPASS; }
public VisitStatus visit(Gadget gadget, Node node) throws RewritingException { if (node.getNodeType() == Node.ELEMENT_NODE && "style".equalsIgnoreCase(node.getNodeName())) { cssSanitizer.sanitize((Element) node, gadget.getSpec().getUrl(), gadget.getContext(), cssImportRewriter, imageRewriter); return VisitStatus.MODIFY; } return VisitStatus.BYPASS; }
public VisitStatus visit(Gadget gadget, Node node) throws RewritingException { if (node.getNodeType() == Node.ELEMENT_NODE && "style".equalsIgnoreCase(node.getNodeName())) { cssSanitizer.sanitize((Element) node, gadget.getSpec().getUrl(), gadget.getContext(), cssImportRewriter, imageRewriter); return VisitStatus.MODIFY; } return VisitStatus.BYPASS; }
@Test public void testSanitizeBadField() throws Exception { String css = ".xyz { iamevil: 1; }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testProxyUrls() throws Exception { String css = ".xyz { background: url('http://www.example.org/img.gif');}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz { " + "background: url('//www.mock.com/dir/proxy?container=mockContainer&gadget=http%3A%2F%2Fwww.example.org%2Fbase" + "&debug=0&nocache=0&url=http%3A%2F%2Fwww.example.org%2Fimg.gif&" + "sanitize=1&rewriteMime=image%2F%2a');}", styleSheet); }
@Test public void testSanitizeUnsafeProperties() throws Exception { String css = ".xyz { behavior: url('xyz.htc'); -moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\") }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testSanitizeUnsafeProperties() throws Exception { String css = ".xyz { behavior: url('xyz.htc'); -moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\") }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testUrlEscapingMockContainer() throws Exception { String css = ".xyz { background: url('http://www.example.org/img.gif');}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertEquals(".xyz{" + "background:url('//www.mock.com/dir/proxy?container=mockContainer&gadget=http%3A%2F%2Fwww.example.org%2Fbase" + "&debug=0&nocache=0&url=http%3A%2F%2Fwww.example.org%2Fimg.gif" + "&sanitize=1&rewriteMime=image%2F%2a');}", parser.serialize(styleSheet).replaceAll("\\s", "")); }
@Test public void testPreserveSafe() throws Exception { String css = ".xyz { font: bold;} A { color: #7f7f7f}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(css, styleSheet); }
@Test public void testPreserveSafe() throws Exception { String css = ".xyz { font: bold;} A { color: #7f7f7f}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(css, styleSheet); }
@Test public void testSanitizeFunctionCall() throws Exception { String css = ".xyz { font : iamevil(bold); }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testSanitizeFunctionCall() throws Exception { String css = ".xyz { font : iamevil(bold); }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testSanitizeScriptUrls() throws Exception { String css = ".xyz { background: url('javascript:doevill'); background : url(vbscript:moreevil); }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testProxyUrls() throws Exception { String css = ".xyz { background: url('http://www.example.org/img.gif');}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz { " + "background: url('//www.mock.com/dir/proxy?container=mockContainer&gadget=http%3A%2F%2Fwww.example.org%2Fbase" + "&debug=0&nocache=0&rewriteMime=image%2F%2a&sanitize=1&" + "url=http%3A%2F%2Fwww.example.org%2Fimg.gif');}", styleSheet); }
@Test public void testSanitizeFunctionCall() throws Exception { String css = ".xyz { font : iamevil(bold); }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testSanitizeCleanToParent() throws Exception { String css = ".q_action:hover, #questionsDIV li:nth-child(even) .q_action:hover, .stream li:nth-child(even) .q_action:hover {" + " background: #d0ebfe; text-decoration: none; }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(css, styleSheet); }
@Test public void testSanitizeScriptUrls() throws Exception { String css = ".xyz { background: url('javascript:doevill'); background : url(vbscript:moreevil); }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(".xyz {}", styleSheet); }
@Test public void testPreserveSafe() throws Exception { String css = ".xyz { font: bold;} A { color: #7f7f7f}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(css, styleSheet); }
@Test public void testSanitizeCleanToParent() throws Exception { String css = ".q_action:hover, #questionsDIV li:nth-child(even) .q_action:hover, .stream li:nth-child(even) .q_action:hover {" + " background: #d0ebfe; text-decoration: none; }"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertStyleEquals(css, styleSheet); }
@Test public void testUrlEscapingMockContainer() throws Exception { String css = ".xyz { background: url('http://www.example.org/img.gif');}"; CssTree.StyleSheet styleSheet = parser.parseDom(css); sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter, imageRewriter); assertEquals(".xyz{" + "background:url('//www.mock.com/dir/proxy?container=mockContainer&gadget=http%3A%2F%2Fwww.example.org%2Fbase" + "&debug=0&nocache=0&rewriteMime=image%2F%2a&sanitize=1" + "&url=http%3A%2F%2Fwww.example.org%2Fimg.gif');}", parser.serialize(styleSheet).replaceAll("\\s", "")); }