nahsra · jonah1und1 · Jan 20, 2025 · Jan 24, 2025 · spassarop · Jan 22, 2025
diff --git a/src/main/java/org/owasp/validator/css/CssValidator.java b/src/main/java/org/owasp/validator/css/CssValidator.java
@@ -28,6 +28,7 @@
  */
 package org.owasp.validator.css;
 
+import java.text.DecimalFormat;
 import java.util.Iterator;
 import java.util.regex.Pattern;
 import org.owasp.validator.html.Policy;
@@ -344,15 +345,15 @@ public String lexicalValueToString(LexicalUnit lu) {
         // this is a rgb encoded color
         StringBuffer sb = new StringBuffer("rgb(");
         LexicalUnit param = lu.getParameters();
-        sb.append(param.getIntegerValue()); // R value
+        sb.append(getColorValue(param)); // R value
         sb.append(',');
         param = param.getNextLexicalUnit(); // comma
         param = param.getNextLexicalUnit(); // G value
-        sb.append(param.getIntegerValue());
+        sb.append(getColorValue(param));
         sb.append(',');
         param = param.getNextLexicalUnit(); // comma
         param = param.getNextLexicalUnit(); // B value
-        sb.append(param.getIntegerValue());
+        sb.append(getColorValue(param));
         sb.append(')');
 
         return sb.toString();
@@ -404,4 +405,20 @@ public String lexicalValueToString(LexicalUnit lu) {
         return null;
     }
   }
+
+  /**
+   * Returns color value as int.
+   * Maps percentages to values between 0 and 255.
+   * Negative percentages are mapped to 0, values bigger than 100% to 255.
+   *
+   * @param param LexicalUnit
+   * @return color value as int
+   */
+  private static String getColorValue(LexicalUnit param) {
+    if (param.getLexicalUnitType() == LexicalUnit.SAC_PERCENTAGE) {
+      return new DecimalFormat("0.#").format(param.getFloatValue()) + "%";
+    } else {
+      return "" + param.getIntegerValue();
+    }
+  }
 }
diff --git a/src/main/resources/antisamy.xml b/src/main/resources/antisamy.xml
@@ -109,6 +109,10 @@
         <regexp name="rgbCode"
             value="rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)" />
 
+        <!-- Relative color values between 0%-100% are also allowed -->
+        <regexp name="rgbPercentage"
+                value="rgb\(([0-9][0-9]?|100)\.?\d*%,([0-9][0-9]?|100)\.?\d*%,([0-9][0-9]?|100)\.?\d*%\)" />
+
         <!-- CSS2 Allowed System Color Values -->
         <regexp name="systemColor"
             value="(activeborder|activecaption|appworkspace|background|buttonface|buttonhighlight|buttonshadow|buttontext|captiontext|graytext|highlight|highlighttext|inactiveborder|inactivecaption|inactivecaptiontext|infobackground|infotext|menu|menutext|scrollbar|threeddarkshadow|threedface|threedhighlight|threedlightshadow|threedshadow|window|windowframe|windowtext)" />
@@ -1141,6 +1145,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1207,6 +1212,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1221,6 +1227,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1235,6 +1242,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1249,6 +1257,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1263,6 +1272,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1314,6 +1324,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -1693,6 +1704,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
         </property>
@@ -2348,6 +2360,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
             <shorthand-list>
@@ -2366,6 +2379,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
             <shorthand-list>
@@ -2384,6 +2398,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
             <shorthand-list>
@@ -2402,6 +2417,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
             <shorthand-list>
@@ -2420,6 +2436,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
             </regexp-list>
             <shorthand-list>
@@ -2587,6 +2604,7 @@
                 <regexp name="colorName" />
                 <regexp name="colorCode" />
                 <regexp name="rgbCode" />
+                <regexp name="rgbPercentage" />
                 <regexp name="systemColor" />
                 <regexp name="length" />
             </regexp-list>

diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -2725,4 +2725,34 @@ public void testGithubIssue484() throws ScanException, PolicyException {
     assertEquals("<p>this is para data</p>\n" + "<br/>\n" + "<p>this is para data 2</p>", domValue);
     assertEquals("<p>this is para data</p>\n" + "<br/>\n" + "<p>this is para data 2</p>", saxValue);
   }
+
+  @Test
+  public void testGithubIssue546() throws ScanException, PolicyException {
+    //Given
+    String taintedHtml = "<style>.cl { color: rgb(50%, 20.5%, 100%); }</style>";
+
+    //When
+    CleanResults crDom = as.scan(taintedHtml, policy, AntiSamy.DOM);
+    CleanResults crSax = as.scan(taintedHtml, policy, AntiSamy.SAX);
+
+    //Then
+    String expectedCleanHtml = "<style>*.cl {\n\tcolor: rgb(50%,20.5%,100%);\n}\n</style>";
+    assertEquals(expectedCleanHtml, crDom.getCleanHTML());
+    assertEquals(expectedCleanHtml, crSax.getCleanHTML());
+  }
+
+  @Test
+  public void testGithubIssue546FaultyPercentagesGetFilteredByRegex() throws ScanException, PolicyException {
+    //Given
+    String taintedHtml = "<style>.cl { color: rgb(50%, -20%, 150%); }</style>";
+
+    //When
+    CleanResults crDom = as.scan(taintedHtml, policy, AntiSamy.DOM);
+    CleanResults crSax = as.scan(taintedHtml, policy, AntiSamy.SAX);
+
+    //Then
+    String expectedCleanHtml = "<style>*.cl {\n}\n</style>";
+    assertEquals(expectedCleanHtml, crDom.getCleanHTML());
+    assertEquals(expectedCleanHtml, crSax.getCleanHTML());
+  }
 }