4

Is there a good library in Java for sanitizing CSS stylesheets? We would like to allow admin users to upload CSS stylesheets to control the look of portion of the site that they administrate. Naturally we do not want to allox XSS attacks such as background:url(javascript:) so we are looking for a good sanitization solution.

The only thing I have found so far that I have liked uses the Google Caja CssTree parser to exclude dangerous tags from CSS. I may end up using something like this, but if someone knows of a library that I do not have to bring down so many dependencies for, and extract, that would be helpful.

Solution: Used AntiSamy library like Vineet Reynolds suggested

        Policy policy = Policy.getInstance("antisamy.xml");
        ResourceBundle messages = ResourceBundle.getBundle("AntiSamy", Locale.getDefault());

        CssScanner scanner = new CssScanner(policy, messages);
        CleanResults results = scanner.scanStyleSheet(stylesheet, Integer.MAX_VALUE);
Ransom Briggs
  • 3,025
  • 3
  • 32
  • 46

4 Answers4

3

OWASP AntiSamy can perform CSS stylesheet validation; I haven't tried that feature in particular though. Also, I'm not sure if it fits your bill of being a project with too many dependencies. It relies on Apache Batik internally to perform the parsing of the stylesheet.

If I were security conscious, I wouldn't be bothered with downstream dependencies; I would choose the appropriate tool for the task.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
  • Wow - thanks a lot for this - I will probably use it for html as well. What makes it double special is that it actually has error messages so I can reject people and tell them why. – Ransom Briggs Jun 14 '11 at 19:34
  • @Ransom, well good to know that it will suit your needs. But do take a look at the issues page on GoogleCode as well. – Vineet Reynolds Jun 15 '11 at 06:01
0

Java's built-in StyleSheet and CSS class has support for parsing stylesheets and allowing you to interact with them (remove certain properties, enforce certain properties, etc.). I'm not sure if they are completely up to date and model every available property, but it's something worth looking into (one less library to ship!)

Darth Android
  • 3,437
  • 18
  • 19
0

You might be able to use the CSSParser from the Flying saucer project

You would still have to iterate over all of the rules and decide if they are dangerous or not.

Gareth Davis
  • 27,701
  • 12
  • 73
  • 106
0

The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are and the best practices in defending against them. It recommends using OWASP's ESAPI Project to build your defenses against XSS. This ESAPI project has created an encoding library which comes in a variety of languages including Java, .NET, PHP, Classic ASP, Cold Fusion, Python, and Haskell. It has tools for encoding untrusted data for the context that you're dealing with:

encodeForHTML
encodeForHTMLAttribute
encodeForJavaScript
encodeForCSS
encodeForURL

It also has a validator which validates for the context the input belongs to:

boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);

Some organisations using ESAPI include American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, U.S. Navy - SPAWAR, The World Bank, SANS Institute.

I also recommend giving their XSS Prevention Cheat Sheet a read which describes the best practices in building your defenses against XSS (it essentially boils down to that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into).

Markus Coetzee
  • 3,384
  • 1
  • 29
  • 26