修改了一些bug
This commit is contained in:
Jackson.Bruce
@@ -3,12 +3,35 @@
|
||||
<PropertyGroup>
|
||||
<TargetFramework>netcoreapp3.1</TargetFramework>
|
||||
<RootNamespace>Ufangx.Xss</RootNamespace>
|
||||
<Authors>Jackson.bruce</Authors>
|
||||
<PackageProjectUrl>https://github.com/JacksonBruce/AntiXssUF</PackageProjectUrl>
|
||||
<RepositoryUrl>https://github.com/JacksonBruce/AntiXssUF.git</RepositoryUrl>
|
||||
<RepositoryType>git</RepositoryType>
|
||||
<Description>anti xss mvc model binder policy</Description>
|
||||
<PackageTags>anti xss mvc model binder policy</PackageTags>
|
||||
<Company>ufangx</Company>
|
||||
<Copyright>Copyright (c) 2020 Jackson.Bruce</Copyright>
|
||||
<PackageReleaseNotes>https://github.com/JacksonBruce/AntiXssUF/blob/master/README.md</PackageReleaseNotes>
|
||||
<Version>1.0.0-beta.0</Version>
|
||||
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<Compile Remove="AntiXssUFMvcServiceCollectionExtensions.cs" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<None Remove="resources\antixss-policy-Default.json" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<EmbeddedResource Include="resources\antixss-policy-Default.json">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
<ExcludeFromSingleFile>true</ExcludeFromSingleFile>
|
||||
<CopyToPublishDirectory>PreserveNewest</CopyToPublishDirectory>
|
||||
</EmbeddedResource>
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Microsoft.AspNetCore.Mvc.Abstractions" Version="2.2.0" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.2.5" />
|
||||
@@ -18,4 +41,34 @@
|
||||
<ProjectReference Include="..\AntiXssUF\AntiXssUF.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<None Update="resources\antixss-policy-antisamy-anythinggoes.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-antisamy-ebay.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-antisamy-myspace.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-antisamy-slashdot.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-antisamy-test.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-antisamy.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-Default.config">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy-Default.xml">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
<None Update="resources\antixss-policy.xsd">
|
||||
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
|
||||
</None>
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
||||
2417
AntiXssUF.Mvc/resources/antixss-policy-Default.config
Normal file
2417
AntiXssUF.Mvc/resources/antixss-policy-Default.config
Normal file
File diff suppressed because it is too large
Load Diff
2015
AntiXssUF.Mvc/resources/antixss-policy-Default.json
Normal file
2015
AntiXssUF.Mvc/resources/antixss-policy-Default.json
Normal file
File diff suppressed because it is too large
Load Diff
2417
AntiXssUF.Mvc/resources/antixss-policy-Default.xml
Normal file
2417
AntiXssUF.Mvc/resources/antixss-policy-Default.xml
Normal file
File diff suppressed because it is too large
Load Diff
2573
AntiXssUF.Mvc/resources/antixss-policy-antisamy-anythinggoes.xml
Normal file
2573
AntiXssUF.Mvc/resources/antixss-policy-antisamy-anythinggoes.xml
Normal file
File diff suppressed because it is too large
Load Diff
2385
AntiXssUF.Mvc/resources/antixss-policy-antisamy-ebay.xml
Normal file
2385
AntiXssUF.Mvc/resources/antixss-policy-antisamy-ebay.xml
Normal file
File diff suppressed because it is too large
Load Diff
2558
AntiXssUF.Mvc/resources/antixss-policy-antisamy-myspace.xml
Normal file
2558
AntiXssUF.Mvc/resources/antixss-policy-antisamy-myspace.xml
Normal file
File diff suppressed because it is too large
Load Diff
176
AntiXssUF.Mvc/resources/antixss-policy-antisamy-slashdot.xml
Normal file
176
AntiXssUF.Mvc/resources/antixss-policy-antisamy-slashdot.xml
Normal file
@@ -0,0 +1,176 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
|
||||
<!--
|
||||
W3C rules retrieved from:
|
||||
http://www.w3.org/TR/html401/struct/global.html
|
||||
-->
|
||||
|
||||
<!--
|
||||
Slashdot allowed tags taken from "Reply" page:
|
||||
<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
|
||||
-->
|
||||
|
||||
<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="antixss-policy.xsd">
|
||||
|
||||
<directives>
|
||||
<directive name="omitXmlDeclaration" value="true"/>
|
||||
<directive name="omitDoctypeDeclaration" value="true"/>
|
||||
<directive name="maxInputSize" value="5000"/>
|
||||
<directive name="useXHTML" value="true"/>
|
||||
<directive name="formatOutput" value="true"/>
|
||||
|
||||
<directive name="embedStyleSheets" value="false"/>
|
||||
</directives>
|
||||
|
||||
|
||||
<common-regexps>
|
||||
|
||||
<!--
|
||||
From W3C:
|
||||
This attribute assigns a class name or set of class names to an
|
||||
element. Any number of elements may be assigned the same class
|
||||
name or names. Multiple class names must be separated by white
|
||||
space characters.
|
||||
-->
|
||||
|
||||
<regexp name="htmlTitle" value="[\p{L}\p{N}\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
|
||||
<regexp name="onsiteURL" value="([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)"/>
|
||||
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
|
||||
|
||||
</common-regexps>
|
||||
|
||||
<!--
|
||||
|
||||
Tag.name = a, b, div, body, etc.
|
||||
Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
|
||||
Attribute.name = id, class, href, align, width, etc.
|
||||
Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
|
||||
Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
|
||||
|
||||
-->
|
||||
|
||||
<!--
|
||||
Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
|
||||
collisions between any of these attribute names with attribute names of other tags that are for different purposes.
|
||||
-->
|
||||
|
||||
<common-attributes>
|
||||
|
||||
|
||||
<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z]{2,20}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
|
||||
<regexp-list>
|
||||
<regexp name="htmlTitle"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="href" onInvalid="filterTag">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
|
||||
<literal-list>
|
||||
<literal value="center"/>
|
||||
<literal value="left"/>
|
||||
<literal value="right"/>
|
||||
<literal value="justify"/>
|
||||
<literal value="char"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
</common-attributes>
|
||||
|
||||
|
||||
<!--
|
||||
This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
|
||||
this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
|
||||
a while?
|
||||
-->
|
||||
|
||||
<global-tag-attributes>
|
||||
<attribute name="title"/>
|
||||
<attribute name="lang"/>
|
||||
</global-tag-attributes>
|
||||
|
||||
|
||||
<tag-rules>
|
||||
|
||||
<!-- Tags related to JavaScript -->
|
||||
|
||||
<tag name="script" action="remove"/>
|
||||
<tag name="noscript" action="remove"/>
|
||||
|
||||
<!-- Frame & related tags -->
|
||||
|
||||
<tag name="iframe" action="remove"/>
|
||||
<tag name="frameset" action="remove"/>
|
||||
<tag name="frame" action="remove"/>
|
||||
<tag name="noframes" action="remove"/>
|
||||
|
||||
<!-- CSS related tags -->
|
||||
<tag name="style" action="remove"/>
|
||||
|
||||
<!-- All reasonable formatting tags -->
|
||||
|
||||
<tag name="p" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<tag name="div" action="validate"/>
|
||||
<tag name="i" action="validate"/>
|
||||
<tag name="b" action="validate"/>
|
||||
<tag name="em" action="validate"/>
|
||||
<tag name="blockquote" action="validate"/>
|
||||
<tag name="tt" action="validate"/>
|
||||
|
||||
<tag name="br" action="truncate"/>
|
||||
|
||||
<!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag="" attribute -->
|
||||
|
||||
<tag name="quote" action="validate"/>
|
||||
<tag name="ecode" action="validate"/>
|
||||
|
||||
|
||||
<!-- Anchor and anchor related tags -->
|
||||
|
||||
<tag name="a" action="validate">
|
||||
|
||||
<attribute name="href" onInvalid="filterTag"/>
|
||||
<attribute name="nohref">
|
||||
<literal-list>
|
||||
<literal value="nohref"/>
|
||||
<literal value=""/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="nofollow"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<!-- List tags -->
|
||||
|
||||
<tag name="ul" action="validate"/>
|
||||
<tag name="ol" action="validate"/>
|
||||
<tag name="li" action="validate"/>
|
||||
|
||||
</tag-rules>
|
||||
|
||||
|
||||
|
||||
<!-- No CSS on Slashdot posts -->
|
||||
|
||||
<css-rules>
|
||||
</css-rules>
|
||||
|
||||
</anti-samy-rules>
|
||||
862
AntiXssUF.Mvc/resources/antixss-policy-antisamy-test.xml
Normal file
862
AntiXssUF.Mvc/resources/antixss-policy-antisamy-test.xml
Normal file
@@ -0,0 +1,862 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1" ?>
|
||||
|
||||
|
||||
<!--
|
||||
W3C rules retrieved from:
|
||||
http://www.w3.org/TR/html401/struct/global.html
|
||||
-->
|
||||
|
||||
|
||||
<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="antixss-policy.xsd">
|
||||
|
||||
<directives>
|
||||
<directive name="omitXmlDeclaration" value="true"/>
|
||||
<directive name="omitDoctypeDeclaration" value="true"/>
|
||||
<directive name="maxInputSize" value="20001"/>
|
||||
<directive name="useXHTML" value="true"/>
|
||||
<directive name="formatOutput" value="true"/>
|
||||
|
||||
<!--
|
||||
remember, this won't work for relative URIs - AntiSamy doesn't
|
||||
know anything about the URL or your web structure
|
||||
-->
|
||||
<directive name="embedStyleSheets" value="false"/>
|
||||
|
||||
</directives>
|
||||
|
||||
<common-regexps>
|
||||
|
||||
<!--
|
||||
From W3C:
|
||||
This attribute assigns a class name or set of class names to an
|
||||
element. Any number of elements may be assigned the same class
|
||||
name or names. Multiple class names must be separated by white
|
||||
space characters.
|
||||
-->
|
||||
<regexp name="colorNameOrCode" value="(#[0-9a-fA-F]{6}|[a-zA-Z]{1,20})"/>
|
||||
<regexp name="number" value="[0-9]+"/>
|
||||
<regexp name="anything" value=".*"/>
|
||||
<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
|
||||
<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&[0-9]{2};)*"/>
|
||||
<regexp name="htmlId" value="[a-zA-Z0-9-_]+"/>
|
||||
<regexp name="htmlTitle" value="[\p{L}\p{N}\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
|
||||
<regexp name="htmlClass" value="[a-zA-Z0-9\s,-_]+"/>
|
||||
|
||||
<regexp name="onsiteURL" value="([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)"/>
|
||||
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
|
||||
|
||||
<regexp name="boolean" value="(true|false)"/>
|
||||
<regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/> <!-- \w allows the '_' character -->
|
||||
|
||||
<!-- This is for elements (ex: elemName { ... }) -->
|
||||
<regexp name="cssElementSelector" value="[a-zA-Z0-9\-_]+|\*"/>
|
||||
|
||||
<!-- This is to list out any element names that are *not* valid -->
|
||||
<regexp name="cssElementExclusion" value=""/>
|
||||
|
||||
<!-- This if for classes (ex: .className { ... }) -->
|
||||
<regexp name="cssClassSelector" value="\.[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any class names that are *not* valid -->
|
||||
<regexp name="cssClassExclusion" value=""/>
|
||||
|
||||
<!-- This is for ID selectors (ex: #myId { ... } -->
|
||||
<regexp name="cssIDSelector" value="#[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is for ID selectors (ex: #myId { ... } -->
|
||||
<regexp name="cssId" value="#[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any IDs that are *not* valid - FIXME: What should the default be to avoid div hijacking? *? -->
|
||||
<regexp name="cssIDExclusion" value=""/>
|
||||
|
||||
<!-- This is for pseudo-element selector (ex. foo:pseudo-element { ... } -->
|
||||
<regexp name="cssPseudoElementSelector" value=":[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any psuedo-element names that are *not* valid -->
|
||||
<regexp name="cssPsuedoElementExclusion" value=""/>
|
||||
|
||||
<!-- This is for attribute selectors (ex. foo[attr=value] { ... } -->
|
||||
<regexp name="cssAttributeSelector" value="\[[a-zA-Z0-9-_]+((=|~=|\|=){1}[a-zA-Z0-9\-_]+){1}\]"/>
|
||||
|
||||
<!-- This is to list out any attribute names that are *not* valid -->
|
||||
<regexp name="cssAttributeExclusion" value=""/>
|
||||
|
||||
<!-- This is for resources referenced from CSS (such as background images and other imported stylesheets) -->
|
||||
<regexp name="cssOnsiteUri" value="url\(([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)\)"/>
|
||||
<regexp name="cssOffsiteUri" value="url\((\s)*((ht|f)tp(s?)://)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*\)"/>
|
||||
|
||||
<!-- This is for comments within CSS (ex. /* comment */) -->
|
||||
<regexp name="cssCommentText" value="[\p{L}\p{N}-_,\/\\\.\s\(\)!\?\=\$#%\^&:\[\]"']+"/>
|
||||
|
||||
<regexp name="integer" value="(-|\+)?[0-9]+"/>
|
||||
<regexp name="number" value="(-|\+)?([0-9]+(.[0-9]+)?)"/>
|
||||
<regexp name="angle" value="(-|\+)?([0-9]+(.[0-9]+)?)(deg|grads|rad)"/>
|
||||
<regexp name="time" value="([0-9]+(.[0-9]+)?)(ms|s)"/>
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
<!--
|
||||
|
||||
Tag.name = a, b, div, body, etc.
|
||||
Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
|
||||
Attribute.name = id, class, href, align, width, etc.
|
||||
Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
|
||||
Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
|
||||
|
||||
-->
|
||||
|
||||
<!--
|
||||
Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
|
||||
collisions between any of these attribute names with attribute names of other tags that are for different purposes.
|
||||
-->
|
||||
|
||||
<common-attributes>
|
||||
|
||||
|
||||
<!-- Common to all HTML tags -->
|
||||
|
||||
<attribute name="id" description="The 'id' of any HTML attribute should not contain anything besides letters and numbers">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9_\-\:]+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="class" description="The 'class' of any HTML attribute is usually a single word, but it can also be a list of class names separated by spaces">
|
||||
<regexp-list>
|
||||
<regexp name="htmlClass"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z]{2,20}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
|
||||
<regexp-list>
|
||||
<regexp name="htmlTitle"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="alt" description="The 'alt' attribute provides alternative text to users when its visual representation is not available">
|
||||
<regexp-list>
|
||||
<regexp name="paragraph"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- the "style" attribute will be validated by an inline stylesheet scanner, so no need to define anything here - i hate having to special case this but no other choice -->
|
||||
<attribute name="style" description="The 'style' attribute provides the ability for users to change many attributes of the tag's contents using a strict syntax"/>
|
||||
|
||||
<attribute name="media">
|
||||
<literal-list>
|
||||
<literal value="screen"/>
|
||||
<literal value="tty"/>
|
||||
<literal value="tv"/>
|
||||
<literal value="projection"/>
|
||||
<literal value="handheld"/>
|
||||
<literal value="print"/>
|
||||
<literal value="braille"/>
|
||||
<literal value="aural"/>
|
||||
<literal value="all"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- Anchor related -->
|
||||
|
||||
<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
|
||||
<attribute name="href">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="name">
|
||||
<regexp-list>
|
||||
|
||||
<regexp value="[a-zA-Z0-9-_\$]+"/>
|
||||
|
||||
<!--
|
||||
have to allow the $ for .NET controls - although,
|
||||
will users be supplying input that has server-generated
|
||||
.NET control names? methinks not, but i want to pass my
|
||||
test cases
|
||||
-->
|
||||
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="shape" description="The 'shape' attribute defines the shape of the selectable area">
|
||||
<literal-list>
|
||||
<literal value="default"/>
|
||||
<literal value="rect"/>
|
||||
<literal value="circle"/>
|
||||
<literal value="poly"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- Table attributes -->
|
||||
|
||||
<attribute name="border">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cellpadding">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cellspacing">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="colspan">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rowspan">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="background">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="bgcolor">
|
||||
<regexp-list>
|
||||
<regexp name="colorNameOrCode"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="abbrev">
|
||||
<regexp-list>
|
||||
<regexp name="paragraph"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="headers" description="The 'headers' attribute is a space-separated list of cell IDs">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9\s*]*"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="charoff">
|
||||
<regexp-list>
|
||||
<regexp value="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="char">
|
||||
<regexp-list>
|
||||
<regexp value=".*{0,1}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="axis" description="The 'headers' attribute is a comma-separated list of related header cells">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9\s*,]*"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="nowrap" description="The 'nowrap' attribute tells the browser not to wrap text that goes over one line">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
<!-- <regexp value="(nowrap){0,1}"/> -->
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- Common positioning attributes -->
|
||||
|
||||
<attribute name="width">
|
||||
<regexp-list>
|
||||
<regexp name="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="height">
|
||||
<regexp-list>
|
||||
<regexp name="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
|
||||
<literal-list>
|
||||
<literal value="center"/>
|
||||
<literal value="middle"/>
|
||||
<literal value="left"/>
|
||||
<literal value="right"/>
|
||||
<literal value="justify"/>
|
||||
<literal value="char"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="valign" description="The 'valign' attribute of an HTML attribute is a direction word, like 'baseline','bottom','middle' or 'top'">
|
||||
<literal-list>
|
||||
<literal value="baseline"/>
|
||||
<literal value="bottom"/>
|
||||
<literal value="middle"/>
|
||||
<literal value="top"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- Intrinsic JavaScript Events -->
|
||||
|
||||
<attribute name="onFocus" description="The 'onFocus' event is executed when the control associated with the tag gains focus">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onBlur" description="The 'onBlur' event is executed when the control associated with the tag loses focus">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onClick" description="The 'onClick' event is executed when the control associated with the tag is clicked">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onDblClick" description="The 'onDblClick' event is executed when the control associated with the tag is clicked twice immediately">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseDown" description="The 'onMouseDown' event is executed when the control associated with the tag is clicked but not yet released">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseUp" description="The 'onMouseUp' event is executed when the control associated with the tag is clicked after the button is released">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseOver" description="The 'onMouseOver' event is executed when the user's mouse hovers over the control associated with the tag">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="scope" description="The 'scope' attribute defines what's covered by the header cells">
|
||||
<literal-list>
|
||||
<literal value="row"/>
|
||||
<literal value="col"/>
|
||||
<literal value="rowgroup"/>
|
||||
<literal value="colgroup"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- If you want users to be able to mess with tabindex, uncomment this -->
|
||||
<!--
|
||||
<attribute name="tabindex" description="...">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
-->
|
||||
|
||||
|
||||
<!-- Input/form related common attributes -->
|
||||
|
||||
<attribute name="disabled">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="readonly">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="accesskey">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="size">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="autocomplete">
|
||||
<literal-list>
|
||||
<literal value="on"/>
|
||||
<literal value="off"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rows">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cols">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
</common-attributes>
|
||||
|
||||
|
||||
<!--
|
||||
This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
|
||||
this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
|
||||
a while? Even wars of attrition, surely?
|
||||
-->
|
||||
|
||||
<global-tag-attributes>
|
||||
<!-- Not valid in base, head, html, meta, param, script, style, and title elements. -->
|
||||
<attribute name="id"/>
|
||||
<attribute name="style"/>
|
||||
<attribute name="title"/>
|
||||
<attribute name="class"/>
|
||||
<!-- Not valid in base, br, frame, frameset, hr, iframe, param, and script elements. -->
|
||||
<attribute name="lang"/>
|
||||
</global-tag-attributes>
|
||||
|
||||
|
||||
|
||||
<tag-rules>
|
||||
|
||||
<!-- Tags related to JavaScript -->
|
||||
|
||||
<tag name="script" action="remove"/>
|
||||
<tag name="noscript" action="validate"/> <!-- although no javascript can fire inside a noscript tag, css is still a viable attack vector -->
|
||||
|
||||
|
||||
|
||||
<!-- Frame & related tags -->
|
||||
|
||||
<tag name="iframe" action="remove"/>
|
||||
<tag name="frameset" action="remove"/>
|
||||
<tag name="frame" action="remove"/>
|
||||
|
||||
|
||||
|
||||
<!-- Form related tags -->
|
||||
|
||||
<tag name="label" action="validate">
|
||||
<attribute name="for">
|
||||
<regexp-list>
|
||||
<regexp name="htmlId"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
<!-- All formatting tags -->
|
||||
|
||||
<tag name="h1" action="validate"/>
|
||||
<tag name="h2" action="validate"/>
|
||||
<tag name="h3" action="validate"/>
|
||||
<tag name="h4" action="validate"/>
|
||||
<tag name="h5" action="validate"/>
|
||||
<tag name="h6" action="validate"/>
|
||||
|
||||
<tag name="p" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<tag name="i" action="validate"/>
|
||||
<tag name="b" action="validate"/>
|
||||
<tag name="u" action="validate"/>
|
||||
<tag name="strong" action="validate"/>
|
||||
|
||||
<tag name="em" action="validate"/>
|
||||
<tag name="small" action="validate"/>
|
||||
<tag name="big" action="validate"/>
|
||||
<tag name="pre" action="validate"/>
|
||||
<tag name="code" action="validate"/>
|
||||
<tag name="cite" action="validate"/>
|
||||
<tag name="samp" action="validate"/>
|
||||
<tag name="sub" action="validate"/>
|
||||
<tag name="sup" action="validate"/>
|
||||
<tag name="strike" action="validate"/>
|
||||
<tag name="center" action="validate"/>
|
||||
<tag name="blockquote" action="validate"/>
|
||||
|
||||
<tag name="hr" action="validate"/>
|
||||
<tag name="br" action="validate"/>
|
||||
|
||||
<!--tag name="col" action="validate"/-->
|
||||
|
||||
<tag name="font" action="validate">
|
||||
<attribute name="color">
|
||||
<regexp-list>
|
||||
<regexp name="colorNameOrCode"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="face">
|
||||
<regexp-list>
|
||||
<regexp value="[\w;, ]+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="size">
|
||||
<regexp-list>
|
||||
<regexp value="(\+|-){0,1}(\d)+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
<!-- Anchor and anchor related tags -->
|
||||
|
||||
<tag name="a" action="validate">
|
||||
|
||||
<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
|
||||
<attribute name="href"/>
|
||||
<attribute name="onFocus"/>
|
||||
<attribute name="onBlur"/>
|
||||
<attribute name="nohref">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="nofollow"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="name"/>
|
||||
|
||||
</tag>
|
||||
|
||||
<tag name="map" action="validate"/>
|
||||
|
||||
<!-- base tag removed per demo - this could be enabled with literal-list values you allow -->
|
||||
<!--
|
||||
<tag name="base" action="validate">
|
||||
<attribute name="href"/>
|
||||
</tag>
|
||||
-->
|
||||
|
||||
|
||||
|
||||
<!-- Stylesheet Tags -->
|
||||
|
||||
<tag name="style" action="validate">
|
||||
<attribute name="type">
|
||||
<literal-list>
|
||||
<literal value="text/css"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="media"/>
|
||||
</tag>
|
||||
|
||||
<tag name="span" action="validate"/>
|
||||
|
||||
<tag name="div" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<!-- <attribute name="id"/> what could an attacker do if they could overwrite an existing div definition? prolly something bad -->
|
||||
<!-- <attribute name="class"/> what could an attacker do if they could specify any class in the namespace? prolly something bad -->
|
||||
|
||||
|
||||
<!-- Image & image related tags -->
|
||||
|
||||
<tag name="img" action="validate">
|
||||
<attribute name="src" onInvalid="removeTag">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="name"/>
|
||||
<attribute name="alt"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="border"/>
|
||||
<attribute name="align"/>
|
||||
|
||||
<attribute name="hspace">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="vspace">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<!-- no way to do this safely without hooking up the same code to @import to embed the remote stylesheet (malicious user could change offsite resource to be malicious after validation -->
|
||||
<!-- <attribute name="href" onInvalid="removeTag"/> -->
|
||||
|
||||
<tag name="link" action="validate">
|
||||
|
||||
<!-- <attribute name="href" onInvalid="removeTag"/> -->
|
||||
|
||||
<attribute name="media"/>
|
||||
|
||||
<attribute name="type" onInvalid="removeTag">
|
||||
<literal-list>
|
||||
<literal value="text/css"/>
|
||||
<literal value="application/rss+xml"/>
|
||||
<literal value="image/x-icon"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="stylesheet"/>
|
||||
<literal value="shortcut icon"/>
|
||||
<literal value="search"/>
|
||||
<literal value="copyright"/>
|
||||
<literal value="top"/>
|
||||
<literal value="alternate"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- List tags -->
|
||||
|
||||
<tag name="ul" action="validate"/>
|
||||
<tag name="ol" action="validate"/>
|
||||
<tag name="li" action="validate"/>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- Dictionary tags -->
|
||||
|
||||
<tag name="dd" action="truncate"/>
|
||||
<tag name="dl" action="truncate"/>
|
||||
<tag name="dt" action="truncate"/>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- Table tags (tbody, thead, tfoot)-->
|
||||
|
||||
<tag name="thead" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tbody" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tfoot" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="table" action="validate">
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="border"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="cellpadding"/>
|
||||
<attribute name="cellspacing"/>
|
||||
<attribute name="background"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="noresize">
|
||||
<literal-list>
|
||||
<literal value="noresize"/>
|
||||
<literal value=""/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<tag name="td" action="validate">
|
||||
<attribute name="background"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="abbrev"/>
|
||||
<attribute name="axis"/>
|
||||
<attribute name="headers"/>
|
||||
<attribute name="scope"/>
|
||||
<attribute name="nowrap"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="colspan"/>
|
||||
<attribute name="rowspan"/>
|
||||
</tag>
|
||||
|
||||
<tag name="th" action="validate">
|
||||
<attribute name="abbrev"/>
|
||||
<attribute name="axis"/>
|
||||
<attribute name="headers"/>
|
||||
<attribute name="scope"/>
|
||||
<attribute name="nowrap"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="colspan"/>
|
||||
<attribute name="rowspan"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tr" action="validate">
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="background"/>
|
||||
</tag>
|
||||
|
||||
<tag name="colgroup" action="validate">
|
||||
|
||||
<attribute name="span">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="col" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="span">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="width"/>
|
||||
</tag>
|
||||
|
||||
<tag name="fieldset" action="validate"/>
|
||||
<tag name="legend" action="validate"/>
|
||||
|
||||
</tag-rules>
|
||||
|
||||
|
||||
<!-- CSS validation processing rules -->
|
||||
|
||||
<css-rules>
|
||||
<!--
|
||||
<property name="counter-increment" default="none" description="The 'counter-increment' property accepts one or more names of counters (identifiers), each one optionally followed by an integer.">
|
||||
<category-list>
|
||||
<category value="all"/>
|
||||
</category-list>
|
||||
<literal-list>
|
||||
<literal value="none"/>
|
||||
<literal value="inherit"/>
|
||||
</literal-list>
|
||||
<regexp-list>
|
||||
<regexp name="cssId"/>
|
||||
<regexp name="integer"/>
|
||||
</regexp-list>
|
||||
</property>
|
||||
-->
|
||||
<property name="font-family" description="This property specifies a prioritized list of font family names and/or generic family names.">
|
||||
<category-list>
|
||||
<category value="visual"/>
|
||||
</category-list>
|
||||
|
||||
<literal-list>
|
||||
<literal value="serif"/>
|
||||
<literal value="arial"/>
|
||||
<literal value="lucida console"/>
|
||||
<literal value="sans-serif"/>
|
||||
<literal value="cursive"/>
|
||||
<literal value="verdana"/>
|
||||
<literal value="fantasy"/>
|
||||
<literal value="monospace"/>
|
||||
</literal-list>
|
||||
|
||||
|
||||
<regexp-list>
|
||||
<regexp value="[\w,\-'" ]+"/>
|
||||
</regexp-list>
|
||||
|
||||
</property>
|
||||
<property name="page" description="The 'page' property can be used to specify a particular type of page where an element should be displayed.">
|
||||
<category-list>
|
||||
<category value="visual"/>
|
||||
<category value="paged"/>
|
||||
</category-list>
|
||||
<literal-list>
|
||||
<literal value="auto"/>
|
||||
</literal-list>
|
||||
<regexp-list>
|
||||
<regexp name="cssId"/>
|
||||
</regexp-list>
|
||||
</property>
|
||||
|
||||
|
||||
|
||||
|
||||
</css-rules>
|
||||
|
||||
</anti-samy-rules>
|
||||
2572
AntiXssUF.Mvc/resources/antixss-policy-antisamy.xml
Normal file
2572
AntiXssUF.Mvc/resources/antixss-policy-antisamy.xml
Normal file
File diff suppressed because it is too large
Load Diff
154
AntiXssUF.Mvc/resources/antixss-policy.xsd
Normal file
154
AntiXssUF.Mvc/resources/antixss-policy.xsd
Normal file
@@ -0,0 +1,154 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xsd:schema
|
||||
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||
|
||||
<xsd:element name="rules">
|
||||
|
||||
<xsd:complexType>
|
||||
|
||||
<xsd:sequence>
|
||||
<xsd:element name="directives" type="Directives" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-regexps" type="CommonRegexps" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="global-tag-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="tag-rules" type="TagRules" minOccurs="1" maxOccurs="1"/>
|
||||
<xsd:element name="css-rules" type="CSSRules" minOccurs="1" maxOccurs="1"/>
|
||||
</xsd:sequence>
|
||||
|
||||
</xsd:complexType>
|
||||
</xsd:element>
|
||||
<xsd:complexType name="Directives">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="directive" type="Directive" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Directive">
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="value" use="required"/>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CommonRegexps">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="AttributeList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="TagRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="tag" type="Tag" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Tag">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0" />
|
||||
</xsd:sequence>
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="action" use="required">
|
||||
<xsd:simpleType>
|
||||
<xsd:restriction base="xsd:string">
|
||||
<xsd:enumeration value="Remove" />
|
||||
<xsd:enumeration value="Truncate" />
|
||||
<xsd:enumeration value="Validate" />
|
||||
<xsd:enumeration value="Filter" />
|
||||
</xsd:restriction>
|
||||
</xsd:simpleType>
|
||||
</xsd:attribute>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Attribute">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="description"/>
|
||||
<xsd:attribute name="onInvalid">
|
||||
<xsd:simpleType>
|
||||
<xsd:restriction base="xsd:string">
|
||||
<xsd:enumeration value="RemoveAttribute" />
|
||||
<xsd:enumeration value="RemoveTag" />
|
||||
<xsd:enumeration value="FilterTag" />
|
||||
</xsd:restriction>
|
||||
</xsd:simpleType>
|
||||
</xsd:attribute>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="RegexpList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="RegExp">
|
||||
<xsd:attribute name="name" type="xsd:string"/>
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="LiteralList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="literal" type="Literal" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Literal">
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CSSRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="property" type="Property" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Property">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="category-list" type="CategoryList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="shorthand-list" type="ShorthandList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="default" type="xsd:string"/>
|
||||
<xsd:attribute name="description" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="ShorthandList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="shorthand" type="Shorthand" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Shorthand">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CategoryList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="category" type="Category" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Category">
|
||||
<xsd:attribute name="value" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="Entity">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="cdata" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
</xsd:schema>
|
||||
@@ -9,6 +9,7 @@ using AntiXssUF.TestSite.Models;
|
||||
using Ufangx.Xss;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
namespace AntiXssUF.TestSite.Controllers
|
||||
{
|
||||
@@ -23,6 +24,11 @@ namespace AntiXssUF.TestSite.Controllers
|
||||
_logger = logger;
|
||||
this.policyFactory = policyFactory;
|
||||
}
|
||||
public async Task<IActionResult> Test(string source) {
|
||||
var filter=await policyFactory.CreateHtmlFilter("ebay");
|
||||
var clean = filter.Filters(source);
|
||||
return Content(clean);
|
||||
}
|
||||
void FilterAttacks(RichText richText, Func<string, bool> fn, [CallerMemberName] string propertyName = null)
|
||||
{
|
||||
html.Append($"\n==== in {propertyName} ==================================================\n原文:\n{ HttpUtility.HtmlEncode(richText.Source)}\n");
|
||||
@@ -167,7 +173,8 @@ namespace AntiXssUF.TestSite.Controllers
|
||||
[HttpPost]
|
||||
public IActionResult Test(TestModel model)
|
||||
{
|
||||
ViewBag.html = model?.RichText?.ToString();
|
||||
var clean = model?.RichText?.ToString() ?? string.Empty;
|
||||
ViewBag.html = clean;
|
||||
return View();
|
||||
}
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@ namespace AntiXssUF.TestSite
|
||||
// This method gets called by the runtime. Use this method to add services to the container.
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddXssFilter(opt=>opt.DefaultSchemeName= "DefaultPolicy")
|
||||
services.AddXssFilter(opt=>opt.DefaultSchemeName= "test")
|
||||
.AddScheme<AntisamyPolicy>("antisamy", () => File.ReadAllTextAsync(Path.Combine(HostEnvironment.ContentRootPath, "resources/antisamy.xml")))
|
||||
.AddScheme<AntisamyPolicy>("anythinggoes", () => File.ReadAllTextAsync(Path.Combine(HostEnvironment.ContentRootPath, "resources/antisamy-anythinggoes.xml")))
|
||||
.AddScheme<AntisamyPolicy>("ebay", () => File.ReadAllTextAsync(Path.Combine(HostEnvironment.ContentRootPath, "resources/antisamy-ebay.xml")))
|
||||
|
||||
@@ -98,7 +98,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -93,7 +93,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -93,7 +93,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -94,7 +94,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -96,7 +96,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -96,7 +96,7 @@ http://www.w3.org/TR/html401/struct/global.html
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgb\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\)"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
@@ -4,6 +4,16 @@
|
||||
<TargetFramework>netstandard2.1</TargetFramework>
|
||||
<AssemblyName>AntiXssUF</AssemblyName>
|
||||
<RootNamespace>Ufangx.Xss</RootNamespace>
|
||||
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
|
||||
<Description>xss anit policy filter</Description>
|
||||
<Authors>Jackson.bruce</Authors>
|
||||
<Company>ufangx</Company>
|
||||
<Copyright>Copyright (c) 2020 Jackson.Bruce</Copyright>
|
||||
<PackageProjectUrl>https://github.com/JacksonBruce/AntiXssUF</PackageProjectUrl>
|
||||
<RepositoryUrl>https://github.com/JacksonBruce/AntiXssUF.git</RepositoryUrl>
|
||||
<PackageTags>Anti Xss .NETStandard</PackageTags>
|
||||
<PackageReleaseNotes>https://github.com/JacksonBruce/AntiXssUF/blob/master/README.md</PackageReleaseNotes>
|
||||
<RepositoryType>git</RepositoryType>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
|
||||
34
AntiXssUF/AntiXssUF.nuspec
Normal file
34
AntiXssUF/AntiXssUF.nuspec
Normal file
@@ -0,0 +1,34 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
|
||||
<metadata>
|
||||
<id>$id$</id>
|
||||
<version>$version$</version>
|
||||
<authors>$author$</authors>
|
||||
<owners>ufangx</owners>
|
||||
<requireLicenseAcceptance>false</requireLicenseAcceptance>
|
||||
<title>$title$</title>
|
||||
<description>$author$</description>
|
||||
<copyright>$copyright$</copyright>
|
||||
<licenseUrl>https://github.com/JacksonBruce/AntiXssUF/blob/master/LICENSE</licenseUrl>
|
||||
<projectUrl>https://github.com/JacksonBruce/AntiXssUF</projectUrl>
|
||||
<releaseNotes>https://github.com/JacksonBruce/AntiXssUF/blob/master/README.md</releaseNotes>
|
||||
<tags>Anti Xss .NETStandard </tags>
|
||||
<repository url="https://github.com/JacksonBruce/AntiXssUF" />
|
||||
<dependencies>
|
||||
<group targetFramework=".NETStandard2.1">
|
||||
<dependency id="AngleSharp" version="0.13.0" exclude="Build,Analyzers" />
|
||||
<dependency id="AngleSharp.Css" version="0.13.0" exclude="Build,Analyzers" />
|
||||
<dependency id="Microsoft.Extensions.Caching.Abstractions" version="3.1.2" exclude="Build,Analyzers" />
|
||||
<dependency id="Microsoft.Extensions.Configuration.Binder" version="3.1.2" exclude="Build,Analyzers" />
|
||||
<dependency id="Microsoft.Extensions.Configuration.Json" version="3.1.2" exclude="Build,Analyzers" />
|
||||
<dependency id="Microsoft.Extensions.DependencyInjection" version="3.1.2" exclude="Build,Analyzers" />
|
||||
<dependency id="Microsoft.Extensions.Options" version="3.1.2" exclude="Build,Analyzers" />
|
||||
</group>
|
||||
</dependencies>
|
||||
</metadata>
|
||||
<files>
|
||||
|
||||
<file src="netstandard2.1\*.dll" target="lib\netstandard2.1" />
|
||||
<file src="resources\*.*" target="content\resources" />
|
||||
</files>
|
||||
</package>
|
||||
@@ -63,11 +63,11 @@ namespace Ufangx.Xss
|
||||
});
|
||||
Regex regex = new Regex($"^({Regex.Escape("<!doctype")})|({Regex.Escape("<html")})|({Regex.Escape("<body")})", RegexOptions.IgnoreCase);
|
||||
var match = regex.Match(html);
|
||||
var doc = match.Success ? htmlParser.ParseDocument(html) : htmlParser.ParseDocument("");
|
||||
var doc = match.Success ? htmlParser.ParseDocument(html) : htmlParser.ParseDocument("<html><head></head><body></body></html>");
|
||||
var container = match.Success ? doc.DocumentElement : doc.Body;
|
||||
if (!match.Success) { container.InnerHtml = html; }
|
||||
FiltersTags(container.ChildNodes);
|
||||
return match.Success ? (match.Groups[3].Success ? doc.Body.OuterHtml : container.OuterHtml) : container.InnerHtml;
|
||||
return container.HasChildNodes ? (match.Success ? (match.Groups[3].Success ? doc.Body?.OuterHtml : container.OuterHtml) : container.InnerHtml) : string.Empty;
|
||||
}
|
||||
#endregion
|
||||
|
||||
|
||||
2417
AntiXssUF/resources/DefaultPolicy.config
Normal file
2417
AntiXssUF/resources/DefaultPolicy.config
Normal file
File diff suppressed because it is too large
Load Diff
2417
AntiXssUF/resources/DefaultPolicy.xml
Normal file
2417
AntiXssUF/resources/DefaultPolicy.xml
Normal file
File diff suppressed because it is too large
Load Diff
154
AntiXssUF/resources/Policy.xsd
Normal file
154
AntiXssUF/resources/Policy.xsd
Normal file
@@ -0,0 +1,154 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xsd:schema
|
||||
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||
|
||||
<xsd:element name="rules">
|
||||
|
||||
<xsd:complexType>
|
||||
|
||||
<xsd:sequence>
|
||||
<xsd:element name="directives" type="Directives" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-regexps" type="CommonRegexps" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="global-tag-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="tag-rules" type="TagRules" minOccurs="1" maxOccurs="1"/>
|
||||
<xsd:element name="css-rules" type="CSSRules" minOccurs="1" maxOccurs="1"/>
|
||||
</xsd:sequence>
|
||||
|
||||
</xsd:complexType>
|
||||
</xsd:element>
|
||||
<xsd:complexType name="Directives">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="directive" type="Directive" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Directive">
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="value" use="required"/>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CommonRegexps">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="AttributeList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="TagRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="tag" type="Tag" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Tag">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0" />
|
||||
</xsd:sequence>
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="action" use="required">
|
||||
<xsd:simpleType>
|
||||
<xsd:restriction base="xsd:string">
|
||||
<xsd:enumeration value="Remove" />
|
||||
<xsd:enumeration value="Truncate" />
|
||||
<xsd:enumeration value="Validate" />
|
||||
<xsd:enumeration value="Filter" />
|
||||
</xsd:restriction>
|
||||
</xsd:simpleType>
|
||||
</xsd:attribute>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Attribute">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="description"/>
|
||||
<xsd:attribute name="onInvalid">
|
||||
<xsd:simpleType>
|
||||
<xsd:restriction base="xsd:string">
|
||||
<xsd:enumeration value="RemoveAttribute" />
|
||||
<xsd:enumeration value="RemoveTag" />
|
||||
<xsd:enumeration value="FilterTag" />
|
||||
</xsd:restriction>
|
||||
</xsd:simpleType>
|
||||
</xsd:attribute>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="RegexpList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="RegExp">
|
||||
<xsd:attribute name="name" type="xsd:string"/>
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="LiteralList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="literal" type="Literal" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Literal">
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CSSRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="property" type="Property" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Property">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="category-list" type="CategoryList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="shorthand-list" type="ShorthandList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="default" type="xsd:string"/>
|
||||
<xsd:attribute name="description" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="ShorthandList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="shorthand" type="Shorthand" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Shorthand">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CategoryList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="category" type="Category" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Category">
|
||||
<xsd:attribute name="value" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="Entity">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="cdata" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
</xsd:schema>
|
||||
2573
AntiXssUF/resources/antisamy-anythinggoes.xml
Normal file
2573
AntiXssUF/resources/antisamy-anythinggoes.xml
Normal file
File diff suppressed because it is too large
Load Diff
2385
AntiXssUF/resources/antisamy-ebay.xml
Normal file
2385
AntiXssUF/resources/antisamy-ebay.xml
Normal file
File diff suppressed because it is too large
Load Diff
2558
AntiXssUF/resources/antisamy-myspace.xml
Normal file
2558
AntiXssUF/resources/antisamy-myspace.xml
Normal file
File diff suppressed because it is too large
Load Diff
176
AntiXssUF/resources/antisamy-slashdot.xml
Normal file
176
AntiXssUF/resources/antisamy-slashdot.xml
Normal file
@@ -0,0 +1,176 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
|
||||
<!--
|
||||
W3C rules retrieved from:
|
||||
http://www.w3.org/TR/html401/struct/global.html
|
||||
-->
|
||||
|
||||
<!--
|
||||
Slashdot allowed tags taken from "Reply" page:
|
||||
<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
|
||||
-->
|
||||
|
||||
<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="antisamy.xsd">
|
||||
|
||||
<directives>
|
||||
<directive name="omitXmlDeclaration" value="true"/>
|
||||
<directive name="omitDoctypeDeclaration" value="true"/>
|
||||
<directive name="maxInputSize" value="5000"/>
|
||||
<directive name="useXHTML" value="true"/>
|
||||
<directive name="formatOutput" value="true"/>
|
||||
|
||||
<directive name="embedStyleSheets" value="false"/>
|
||||
</directives>
|
||||
|
||||
|
||||
<common-regexps>
|
||||
|
||||
<!--
|
||||
From W3C:
|
||||
This attribute assigns a class name or set of class names to an
|
||||
element. Any number of elements may be assigned the same class
|
||||
name or names. Multiple class names must be separated by white
|
||||
space characters.
|
||||
-->
|
||||
|
||||
<regexp name="htmlTitle" value="[\p{L}\p{N}\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
|
||||
<regexp name="onsiteURL" value="([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)"/>
|
||||
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
|
||||
|
||||
</common-regexps>
|
||||
|
||||
<!--
|
||||
|
||||
Tag.name = a, b, div, body, etc.
|
||||
Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
|
||||
Attribute.name = id, class, href, align, width, etc.
|
||||
Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
|
||||
Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
|
||||
|
||||
-->
|
||||
|
||||
<!--
|
||||
Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
|
||||
collisions between any of these attribute names with attribute names of other tags that are for different purposes.
|
||||
-->
|
||||
|
||||
<common-attributes>
|
||||
|
||||
|
||||
<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z]{2,20}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
|
||||
<regexp-list>
|
||||
<regexp name="htmlTitle"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="href" onInvalid="filterTag">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
|
||||
<literal-list>
|
||||
<literal value="center"/>
|
||||
<literal value="left"/>
|
||||
<literal value="right"/>
|
||||
<literal value="justify"/>
|
||||
<literal value="char"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
</common-attributes>
|
||||
|
||||
|
||||
<!--
|
||||
This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
|
||||
this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
|
||||
a while?
|
||||
-->
|
||||
|
||||
<global-tag-attributes>
|
||||
<attribute name="title"/>
|
||||
<attribute name="lang"/>
|
||||
</global-tag-attributes>
|
||||
|
||||
|
||||
<tag-rules>
|
||||
|
||||
<!-- Tags related to JavaScript -->
|
||||
|
||||
<tag name="script" action="remove"/>
|
||||
<tag name="noscript" action="remove"/>
|
||||
|
||||
<!-- Frame & related tags -->
|
||||
|
||||
<tag name="iframe" action="remove"/>
|
||||
<tag name="frameset" action="remove"/>
|
||||
<tag name="frame" action="remove"/>
|
||||
<tag name="noframes" action="remove"/>
|
||||
|
||||
<!-- CSS related tags -->
|
||||
<tag name="style" action="remove"/>
|
||||
|
||||
<!-- All reasonable formatting tags -->
|
||||
|
||||
<tag name="p" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<tag name="div" action="validate"/>
|
||||
<tag name="i" action="validate"/>
|
||||
<tag name="b" action="validate"/>
|
||||
<tag name="em" action="validate"/>
|
||||
<tag name="blockquote" action="validate"/>
|
||||
<tag name="tt" action="validate"/>
|
||||
|
||||
<tag name="br" action="truncate"/>
|
||||
|
||||
<!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag="" attribute -->
|
||||
|
||||
<tag name="quote" action="validate"/>
|
||||
<tag name="ecode" action="validate"/>
|
||||
|
||||
|
||||
<!-- Anchor and anchor related tags -->
|
||||
|
||||
<tag name="a" action="validate">
|
||||
|
||||
<attribute name="href" onInvalid="filterTag"/>
|
||||
<attribute name="nohref">
|
||||
<literal-list>
|
||||
<literal value="nohref"/>
|
||||
<literal value=""/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="nofollow"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<!-- List tags -->
|
||||
|
||||
<tag name="ul" action="validate"/>
|
||||
<tag name="ol" action="validate"/>
|
||||
<tag name="li" action="validate"/>
|
||||
|
||||
</tag-rules>
|
||||
|
||||
|
||||
|
||||
<!-- No CSS on Slashdot posts -->
|
||||
|
||||
<css-rules>
|
||||
</css-rules>
|
||||
|
||||
</anti-samy-rules>
|
||||
862
AntiXssUF/resources/antisamy-test.xml
Normal file
862
AntiXssUF/resources/antisamy-test.xml
Normal file
@@ -0,0 +1,862 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1" ?>
|
||||
|
||||
|
||||
<!--
|
||||
W3C rules retrieved from:
|
||||
http://www.w3.org/TR/html401/struct/global.html
|
||||
-->
|
||||
|
||||
|
||||
<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="antisamy.xsd">
|
||||
|
||||
<directives>
|
||||
<directive name="omitXmlDeclaration" value="true"/>
|
||||
<directive name="omitDoctypeDeclaration" value="true"/>
|
||||
<directive name="maxInputSize" value="20001"/>
|
||||
<directive name="useXHTML" value="true"/>
|
||||
<directive name="formatOutput" value="true"/>
|
||||
|
||||
<!--
|
||||
remember, this won't work for relative URIs - AntiSamy doesn't
|
||||
know anything about the URL or your web structure
|
||||
-->
|
||||
<directive name="embedStyleSheets" value="false"/>
|
||||
|
||||
</directives>
|
||||
|
||||
<common-regexps>
|
||||
|
||||
<!--
|
||||
From W3C:
|
||||
This attribute assigns a class name or set of class names to an
|
||||
element. Any number of elements may be assigned the same class
|
||||
name or names. Multiple class names must be separated by white
|
||||
space characters.
|
||||
-->
|
||||
<regexp name="colorNameOrCode" value="(#[0-9a-fA-F]{6}|[a-zA-Z]{1,20})"/>
|
||||
<regexp name="number" value="[0-9]+"/>
|
||||
<regexp name="anything" value=".*"/>
|
||||
<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
|
||||
<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&[0-9]{2};)*"/>
|
||||
<regexp name="htmlId" value="[a-zA-Z0-9-_]+"/>
|
||||
<regexp name="htmlTitle" value="[\p{L}\p{N}\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
|
||||
<regexp name="htmlClass" value="[a-zA-Z0-9\s,-_]+"/>
|
||||
|
||||
<regexp name="onsiteURL" value="([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)"/>
|
||||
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
|
||||
|
||||
<regexp name="boolean" value="(true|false)"/>
|
||||
<regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/> <!-- \w allows the '_' character -->
|
||||
|
||||
<!-- This is for elements (ex: elemName { ... }) -->
|
||||
<regexp name="cssElementSelector" value="[a-zA-Z0-9\-_]+|\*"/>
|
||||
|
||||
<!-- This is to list out any element names that are *not* valid -->
|
||||
<regexp name="cssElementExclusion" value=""/>
|
||||
|
||||
<!-- This if for classes (ex: .className { ... }) -->
|
||||
<regexp name="cssClassSelector" value="\.[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any class names that are *not* valid -->
|
||||
<regexp name="cssClassExclusion" value=""/>
|
||||
|
||||
<!-- This is for ID selectors (ex: #myId { ... } -->
|
||||
<regexp name="cssIDSelector" value="#[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is for ID selectors (ex: #myId { ... } -->
|
||||
<regexp name="cssId" value="#[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any IDs that are *not* valid - FIXME: What should the default be to avoid div hijacking? *? -->
|
||||
<regexp name="cssIDExclusion" value=""/>
|
||||
|
||||
<!-- This is for pseudo-element selector (ex. foo:pseudo-element { ... } -->
|
||||
<regexp name="cssPseudoElementSelector" value=":[a-zA-Z0-9\-_]+"/>
|
||||
|
||||
<!-- This is to list out any psuedo-element names that are *not* valid -->
|
||||
<regexp name="cssPsuedoElementExclusion" value=""/>
|
||||
|
||||
<!-- This is for attribute selectors (ex. foo[attr=value] { ... } -->
|
||||
<regexp name="cssAttributeSelector" value="\[[a-zA-Z0-9-_]+((=|~=|\|=){1}[a-zA-Z0-9\-_]+){1}\]"/>
|
||||
|
||||
<!-- This is to list out any attribute names that are *not* valid -->
|
||||
<regexp name="cssAttributeExclusion" value=""/>
|
||||
|
||||
<!-- This is for resources referenced from CSS (such as background images and other imported stylesheets) -->
|
||||
<regexp name="cssOnsiteUri" value="url\(([\p{L}\p{N}\\/\.\?=\#&;\-_~]+|\#(\w)+)\)"/>
|
||||
<regexp name="cssOffsiteUri" value="url\((\s)*((ht|f)tp(s?)://)[\p{L}\p{N}]+[~\p{L}\p{N}\p{Zs}\-_\.@#$%&;:,\?=/\+!]*(\s)*\)"/>
|
||||
|
||||
<!-- This is for comments within CSS (ex. /* comment */) -->
|
||||
<regexp name="cssCommentText" value="[\p{L}\p{N}-_,\/\\\.\s\(\)!\?\=\$#%\^&:\[\]"']+"/>
|
||||
|
||||
<regexp name="integer" value="(-|\+)?[0-9]+"/>
|
||||
<regexp name="number" value="(-|\+)?([0-9]+(.[0-9]+)?)"/>
|
||||
<regexp name="angle" value="(-|\+)?([0-9]+(.[0-9]+)?)(deg|grads|rad)"/>
|
||||
<regexp name="time" value="([0-9]+(.[0-9]+)?)(ms|s)"/>
|
||||
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>
|
||||
<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
|
||||
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
|
||||
<regexp name="cssColor" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)|(^#[0-9a-fA-F]{3,3}$)|(^#[0-9a-fA-F]{6,6}$)|rgba?\\(\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\s*,\\s*([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\\s*,\\s*[1])?\\s*\\)"/>
|
||||
<regexp name="absolute-size" value="(xx-small|x-small|small|medium|large|x-large|xx-large)"/>
|
||||
<regexp name="relative-size" value="(larger|smaller)"/>
|
||||
</common-regexps>
|
||||
|
||||
<!--
|
||||
|
||||
Tag.name = a, b, div, body, etc.
|
||||
Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
|
||||
Attribute.name = id, class, href, align, width, etc.
|
||||
Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
|
||||
Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
|
||||
|
||||
-->
|
||||
|
||||
<!--
|
||||
Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
|
||||
collisions between any of these attribute names with attribute names of other tags that are for different purposes.
|
||||
-->
|
||||
|
||||
<common-attributes>
|
||||
|
||||
|
||||
<!-- Common to all HTML tags -->
|
||||
|
||||
<attribute name="id" description="The 'id' of any HTML attribute should not contain anything besides letters and numbers">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9_\-\:]+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="class" description="The 'class' of any HTML attribute is usually a single word, but it can also be a list of class names separated by spaces">
|
||||
<regexp-list>
|
||||
<regexp name="htmlClass"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z]{2,20}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
|
||||
<regexp-list>
|
||||
<regexp name="htmlTitle"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="alt" description="The 'alt' attribute provides alternative text to users when its visual representation is not available">
|
||||
<regexp-list>
|
||||
<regexp name="paragraph"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- the "style" attribute will be validated by an inline stylesheet scanner, so no need to define anything here - i hate having to special case this but no other choice -->
|
||||
<attribute name="style" description="The 'style' attribute provides the ability for users to change many attributes of the tag's contents using a strict syntax"/>
|
||||
|
||||
<attribute name="media">
|
||||
<literal-list>
|
||||
<literal value="screen"/>
|
||||
<literal value="tty"/>
|
||||
<literal value="tv"/>
|
||||
<literal value="projection"/>
|
||||
<literal value="handheld"/>
|
||||
<literal value="print"/>
|
||||
<literal value="braille"/>
|
||||
<literal value="aural"/>
|
||||
<literal value="all"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- Anchor related -->
|
||||
|
||||
<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
|
||||
<attribute name="href">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="name">
|
||||
<regexp-list>
|
||||
|
||||
<regexp value="[a-zA-Z0-9-_\$]+"/>
|
||||
|
||||
<!--
|
||||
have to allow the $ for .NET controls - although,
|
||||
will users be supplying input that has server-generated
|
||||
.NET control names? methinks not, but i want to pass my
|
||||
test cases
|
||||
-->
|
||||
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="shape" description="The 'shape' attribute defines the shape of the selectable area">
|
||||
<literal-list>
|
||||
<literal value="default"/>
|
||||
<literal value="rect"/>
|
||||
<literal value="circle"/>
|
||||
<literal value="poly"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- Table attributes -->
|
||||
|
||||
<attribute name="border">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cellpadding">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cellspacing">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="colspan">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rowspan">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="background">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="bgcolor">
|
||||
<regexp-list>
|
||||
<regexp name="colorNameOrCode"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="abbrev">
|
||||
<regexp-list>
|
||||
<regexp name="paragraph"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="headers" description="The 'headers' attribute is a space-separated list of cell IDs">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9\s*]*"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="charoff">
|
||||
<regexp-list>
|
||||
<regexp value="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="char">
|
||||
<regexp-list>
|
||||
<regexp value=".*{0,1}"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="axis" description="The 'headers' attribute is a comma-separated list of related header cells">
|
||||
<regexp-list>
|
||||
<regexp value="[a-zA-Z0-9\s*,]*"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="nowrap" description="The 'nowrap' attribute tells the browser not to wrap text that goes over one line">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
<!-- <regexp value="(nowrap){0,1}"/> -->
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<!-- Common positioning attributes -->
|
||||
|
||||
<attribute name="width">
|
||||
<regexp-list>
|
||||
<regexp name="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="height">
|
||||
<regexp-list>
|
||||
<regexp name="numberOrPercent"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
|
||||
<literal-list>
|
||||
<literal value="center"/>
|
||||
<literal value="middle"/>
|
||||
<literal value="left"/>
|
||||
<literal value="right"/>
|
||||
<literal value="justify"/>
|
||||
<literal value="char"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="valign" description="The 'valign' attribute of an HTML attribute is a direction word, like 'baseline','bottom','middle' or 'top'">
|
||||
<literal-list>
|
||||
<literal value="baseline"/>
|
||||
<literal value="bottom"/>
|
||||
<literal value="middle"/>
|
||||
<literal value="top"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- Intrinsic JavaScript Events -->
|
||||
|
||||
<attribute name="onFocus" description="The 'onFocus' event is executed when the control associated with the tag gains focus">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onBlur" description="The 'onBlur' event is executed when the control associated with the tag loses focus">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onClick" description="The 'onClick' event is executed when the control associated with the tag is clicked">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onDblClick" description="The 'onDblClick' event is executed when the control associated with the tag is clicked twice immediately">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseDown" description="The 'onMouseDown' event is executed when the control associated with the tag is clicked but not yet released">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseUp" description="The 'onMouseUp' event is executed when the control associated with the tag is clicked after the button is released">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="onMouseOver" description="The 'onMouseOver' event is executed when the user's mouse hovers over the control associated with the tag">
|
||||
<literal-list>
|
||||
<literal value="javascript:void(0)"/>
|
||||
<literal value="javascript:history.go(-1)"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="scope" description="The 'scope' attribute defines what's covered by the header cells">
|
||||
<literal-list>
|
||||
<literal value="row"/>
|
||||
<literal value="col"/>
|
||||
<literal value="rowgroup"/>
|
||||
<literal value="colgroup"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
|
||||
<!-- If you want users to be able to mess with tabindex, uncomment this -->
|
||||
<!--
|
||||
<attribute name="tabindex" description="...">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
-->
|
||||
|
||||
|
||||
<!-- Input/form related common attributes -->
|
||||
|
||||
<attribute name="disabled">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="readonly">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="accesskey">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="size">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
|
||||
<attribute name="autocomplete">
|
||||
<literal-list>
|
||||
<literal value="on"/>
|
||||
<literal value="off"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rows">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="cols">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
</common-attributes>
|
||||
|
||||
|
||||
<!--
|
||||
This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
|
||||
this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
|
||||
a while? Even wars of attrition, surely?
|
||||
-->
|
||||
|
||||
<global-tag-attributes>
|
||||
<!-- Not valid in base, head, html, meta, param, script, style, and title elements. -->
|
||||
<attribute name="id"/>
|
||||
<attribute name="style"/>
|
||||
<attribute name="title"/>
|
||||
<attribute name="class"/>
|
||||
<!-- Not valid in base, br, frame, frameset, hr, iframe, param, and script elements. -->
|
||||
<attribute name="lang"/>
|
||||
</global-tag-attributes>
|
||||
|
||||
|
||||
|
||||
<tag-rules>
|
||||
|
||||
<!-- Tags related to JavaScript -->
|
||||
|
||||
<tag name="script" action="remove"/>
|
||||
<tag name="noscript" action="validate"/> <!-- although no javascript can fire inside a noscript tag, css is still a viable attack vector -->
|
||||
|
||||
|
||||
|
||||
<!-- Frame & related tags -->
|
||||
|
||||
<tag name="iframe" action="remove"/>
|
||||
<tag name="frameset" action="remove"/>
|
||||
<tag name="frame" action="remove"/>
|
||||
|
||||
|
||||
|
||||
<!-- Form related tags -->
|
||||
|
||||
<tag name="label" action="validate">
|
||||
<attribute name="for">
|
||||
<regexp-list>
|
||||
<regexp name="htmlId"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
<!-- All formatting tags -->
|
||||
|
||||
<tag name="h1" action="validate"/>
|
||||
<tag name="h2" action="validate"/>
|
||||
<tag name="h3" action="validate"/>
|
||||
<tag name="h4" action="validate"/>
|
||||
<tag name="h5" action="validate"/>
|
||||
<tag name="h6" action="validate"/>
|
||||
|
||||
<tag name="p" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<tag name="i" action="validate"/>
|
||||
<tag name="b" action="validate"/>
|
||||
<tag name="u" action="validate"/>
|
||||
<tag name="strong" action="validate"/>
|
||||
|
||||
<tag name="em" action="validate"/>
|
||||
<tag name="small" action="validate"/>
|
||||
<tag name="big" action="validate"/>
|
||||
<tag name="pre" action="validate"/>
|
||||
<tag name="code" action="validate"/>
|
||||
<tag name="cite" action="validate"/>
|
||||
<tag name="samp" action="validate"/>
|
||||
<tag name="sub" action="validate"/>
|
||||
<tag name="sup" action="validate"/>
|
||||
<tag name="strike" action="validate"/>
|
||||
<tag name="center" action="validate"/>
|
||||
<tag name="blockquote" action="validate"/>
|
||||
|
||||
<tag name="hr" action="validate"/>
|
||||
<tag name="br" action="validate"/>
|
||||
|
||||
<!--tag name="col" action="validate"/-->
|
||||
|
||||
<tag name="font" action="validate">
|
||||
<attribute name="color">
|
||||
<regexp-list>
|
||||
<regexp name="colorNameOrCode"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="face">
|
||||
<regexp-list>
|
||||
<regexp value="[\w;, ]+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="size">
|
||||
<regexp-list>
|
||||
<regexp value="(\+|-){0,1}(\d)+"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
<!-- Anchor and anchor related tags -->
|
||||
|
||||
<tag name="a" action="validate">
|
||||
|
||||
<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
|
||||
<attribute name="href"/>
|
||||
<attribute name="onFocus"/>
|
||||
<attribute name="onBlur"/>
|
||||
<attribute name="nohref">
|
||||
<regexp-list>
|
||||
<regexp name="anything"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="nofollow"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="name"/>
|
||||
|
||||
</tag>
|
||||
|
||||
<tag name="map" action="validate"/>
|
||||
|
||||
<!-- base tag removed per demo - this could be enabled with literal-list values you allow -->
|
||||
<!--
|
||||
<tag name="base" action="validate">
|
||||
<attribute name="href"/>
|
||||
</tag>
|
||||
-->
|
||||
|
||||
|
||||
|
||||
<!-- Stylesheet Tags -->
|
||||
|
||||
<tag name="style" action="validate">
|
||||
<attribute name="type">
|
||||
<literal-list>
|
||||
<literal value="text/css"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
<attribute name="media"/>
|
||||
</tag>
|
||||
|
||||
<tag name="span" action="validate"/>
|
||||
|
||||
<tag name="div" action="validate">
|
||||
<attribute name="align"/>
|
||||
</tag>
|
||||
|
||||
<!-- <attribute name="id"/> what could an attacker do if they could overwrite an existing div definition? prolly something bad -->
|
||||
<!-- <attribute name="class"/> what could an attacker do if they could specify any class in the namespace? prolly something bad -->
|
||||
|
||||
|
||||
<!-- Image & image related tags -->
|
||||
|
||||
<tag name="img" action="validate">
|
||||
<attribute name="src" onInvalid="removeTag">
|
||||
<regexp-list>
|
||||
<regexp name="onsiteURL"/>
|
||||
<regexp name="offsiteURL"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="name"/>
|
||||
<attribute name="alt"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="border"/>
|
||||
<attribute name="align"/>
|
||||
|
||||
<attribute name="hspace">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="vspace">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<!-- no way to do this safely without hooking up the same code to @import to embed the remote stylesheet (malicious user could change offsite resource to be malicious after validation -->
|
||||
<!-- <attribute name="href" onInvalid="removeTag"/> -->
|
||||
|
||||
<tag name="link" action="validate">
|
||||
|
||||
<!-- <attribute name="href" onInvalid="removeTag"/> -->
|
||||
|
||||
<attribute name="media"/>
|
||||
|
||||
<attribute name="type" onInvalid="removeTag">
|
||||
<literal-list>
|
||||
<literal value="text/css"/>
|
||||
<literal value="application/rss+xml"/>
|
||||
<literal value="image/x-icon"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
|
||||
<attribute name="rel">
|
||||
<literal-list>
|
||||
<literal value="stylesheet"/>
|
||||
<literal value="shortcut icon"/>
|
||||
<literal value="search"/>
|
||||
<literal value="copyright"/>
|
||||
<literal value="top"/>
|
||||
<literal value="alternate"/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- List tags -->
|
||||
|
||||
<tag name="ul" action="validate"/>
|
||||
<tag name="ol" action="validate"/>
|
||||
<tag name="li" action="validate"/>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- Dictionary tags -->
|
||||
|
||||
<tag name="dd" action="truncate"/>
|
||||
<tag name="dl" action="truncate"/>
|
||||
<tag name="dt" action="truncate"/>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- Table tags (tbody, thead, tfoot)-->
|
||||
|
||||
<tag name="thead" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tbody" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tfoot" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="table" action="validate">
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="border"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="cellpadding"/>
|
||||
<attribute name="cellspacing"/>
|
||||
<attribute name="background"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="noresize">
|
||||
<literal-list>
|
||||
<literal value="noresize"/>
|
||||
<literal value=""/>
|
||||
</literal-list>
|
||||
</attribute>
|
||||
</tag>
|
||||
|
||||
<tag name="td" action="validate">
|
||||
<attribute name="background"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="abbrev"/>
|
||||
<attribute name="axis"/>
|
||||
<attribute name="headers"/>
|
||||
<attribute name="scope"/>
|
||||
<attribute name="nowrap"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="colspan"/>
|
||||
<attribute name="rowspan"/>
|
||||
</tag>
|
||||
|
||||
<tag name="th" action="validate">
|
||||
<attribute name="abbrev"/>
|
||||
<attribute name="axis"/>
|
||||
<attribute name="headers"/>
|
||||
<attribute name="scope"/>
|
||||
<attribute name="nowrap"/>
|
||||
<attribute name="bgcolor"/>
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="colspan"/>
|
||||
<attribute name="rowspan"/>
|
||||
</tag>
|
||||
|
||||
<tag name="tr" action="validate">
|
||||
<attribute name="height"/>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="background"/>
|
||||
</tag>
|
||||
|
||||
<tag name="colgroup" action="validate">
|
||||
|
||||
<attribute name="span">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="width"/>
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
</tag>
|
||||
|
||||
<tag name="col" action="validate">
|
||||
<attribute name="align"/>
|
||||
<attribute name="char"/>
|
||||
<attribute name="charoff"/>
|
||||
<attribute name="valign"/>
|
||||
<attribute name="span">
|
||||
<regexp-list>
|
||||
<regexp name="number"/>
|
||||
</regexp-list>
|
||||
</attribute>
|
||||
<attribute name="width"/>
|
||||
</tag>
|
||||
|
||||
<tag name="fieldset" action="validate"/>
|
||||
<tag name="legend" action="validate"/>
|
||||
|
||||
</tag-rules>
|
||||
|
||||
|
||||
<!-- CSS validation processing rules -->
|
||||
|
||||
<css-rules>
|
||||
<!--
|
||||
<property name="counter-increment" default="none" description="The 'counter-increment' property accepts one or more names of counters (identifiers), each one optionally followed by an integer.">
|
||||
<category-list>
|
||||
<category value="all"/>
|
||||
</category-list>
|
||||
<literal-list>
|
||||
<literal value="none"/>
|
||||
<literal value="inherit"/>
|
||||
</literal-list>
|
||||
<regexp-list>
|
||||
<regexp name="cssId"/>
|
||||
<regexp name="integer"/>
|
||||
</regexp-list>
|
||||
</property>
|
||||
-->
|
||||
<property name="font-family" description="This property specifies a prioritized list of font family names and/or generic family names.">
|
||||
<category-list>
|
||||
<category value="visual"/>
|
||||
</category-list>
|
||||
|
||||
<literal-list>
|
||||
<literal value="serif"/>
|
||||
<literal value="arial"/>
|
||||
<literal value="lucida console"/>
|
||||
<literal value="sans-serif"/>
|
||||
<literal value="cursive"/>
|
||||
<literal value="verdana"/>
|
||||
<literal value="fantasy"/>
|
||||
<literal value="monospace"/>
|
||||
</literal-list>
|
||||
|
||||
|
||||
<regexp-list>
|
||||
<regexp value="[\w,\-'" ]+"/>
|
||||
</regexp-list>
|
||||
|
||||
</property>
|
||||
<property name="page" description="The 'page' property can be used to specify a particular type of page where an element should be displayed.">
|
||||
<category-list>
|
||||
<category value="visual"/>
|
||||
<category value="paged"/>
|
||||
</category-list>
|
||||
<literal-list>
|
||||
<literal value="auto"/>
|
||||
</literal-list>
|
||||
<regexp-list>
|
||||
<regexp name="cssId"/>
|
||||
</regexp-list>
|
||||
</property>
|
||||
|
||||
|
||||
|
||||
|
||||
</css-rules>
|
||||
|
||||
</anti-samy-rules>
|
||||
2572
AntiXssUF/resources/antisamy.xml
Normal file
2572
AntiXssUF/resources/antisamy.xml
Normal file
File diff suppressed because it is too large
Load Diff
137
AntiXssUF/resources/antisamy.xsd
Normal file
137
AntiXssUF/resources/antisamy.xsd
Normal file
@@ -0,0 +1,137 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xsd:schema
|
||||
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||
|
||||
<xsd:element name="anti-samy-rules">
|
||||
|
||||
<xsd:complexType>
|
||||
|
||||
<xsd:sequence>
|
||||
<xsd:element name="directives" type="Directives" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-regexps" type="CommonRegexps" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="common-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="global-tag-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
|
||||
<xsd:element name="tag-rules" type="TagRules" minOccurs="1" maxOccurs="1"/>
|
||||
<xsd:element name="css-rules" type="CSSRules" minOccurs="1" maxOccurs="1"/>
|
||||
</xsd:sequence>
|
||||
|
||||
</xsd:complexType>
|
||||
</xsd:element>
|
||||
<xsd:complexType name="Directives">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="directive" type="Directive" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Directive">
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="value" use="required"/>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CommonRegexps">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="AttributeList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="TagRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="tag" type="Tag" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Tag">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="attribute" type="Attribute" minOccurs="0" />
|
||||
</xsd:sequence>
|
||||
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="action" use="required"/>
|
||||
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Attribute">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" use="required"/>
|
||||
<xsd:attribute name="description"/>
|
||||
<xsd:attribute name="onInvalid"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="RegexpList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="RegExp">
|
||||
<xsd:attribute name="name" type="xsd:string"/>
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="LiteralList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="literal" type="Literal" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Literal">
|
||||
<xsd:attribute name="value" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CSSRules">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="property" type="Property" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Property">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="category-list" type="CategoryList" minOccurs="0"/>
|
||||
<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
|
||||
<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
|
||||
<xsd:element name="shorthand-list" type="ShorthandList" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="default" type="xsd:string"/>
|
||||
<xsd:attribute name="description" type="xsd:string"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="ShorthandList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="shorthand" type="Shorthand" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Shorthand">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="CategoryList">
|
||||
<xsd:sequence maxOccurs="unbounded">
|
||||
<xsd:element name="category" type="Category" minOccurs="0"/>
|
||||
</xsd:sequence>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:complexType name="Category">
|
||||
<xsd:attribute name="value" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
|
||||
|
||||
<xsd:complexType name="Entity">
|
||||
<xsd:attribute name="name" type="xsd:string" use="required"/>
|
||||
<xsd:attribute name="cdata" type="xsd:string" use="required"/>
|
||||
</xsd:complexType>
|
||||
</xsd:schema>
|
||||
Reference in New Issue
Block a user