-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? #286
Comments
@spassarop - Can you answer this question? Thx |
Regarding However, I'm not sure Batik-CSS (AntiSamy's CSS parser) supports CSS variables. In that case, the |
Thank you for your response, I am using CssParser instead of BatikCSS, but I am not sure whether that supports CSS variables too. |
Batik CSS is a dependency to parse the CSS to analyze, CssParser uses it
internally. If Batik considers CSS variables as invalid CSS “code”then
CssParser never gets to see them, it would not be the first time Batik
provides less than we expect.
…On Thu, 19 Jan 2023 at 05:48 Suganth M ***@***.***> wrote:
Thank you for your response, I am using CssParser instead of BatikCSS, but
I am not sure whether that supports CSS variables too.
—
Reply to this email directly, view it on GitHub
<#286 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHL3BMN3EYAM6XLPDJR7DVTWTD5U5ANCNFSM6AAAAAAT52ZE3I>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I did the heavy debugging. The To sum up, the Batik-CSS dependency does not support CSS variables and AntiSamy cannot work with them as it never gets to see them in the internal parser's output. I guess this would result in |
@spassarop - you are the expert on these internal details so I trust your analysis. I think our only real option here, if you want to investigate is replacing the CSS parser with something newer, more transparent, more open, but that's up to you. There are a number of won't fix, like this that are all stuck because of Batik. If you decide to research, open an issue like: "Investigate replacing Batik CSS". And you can link that ticket to all the won't fixes caused by Batik doing things internally we can' see/change/affect. We should maybe even create that ticket even if you don't want to spend time actually investigating this, just to link all the related issues together. |
Yeah, all that seems reasonable.
El mar, 24 ene 2023 a las 11:57, Dave Wichers ***@***.***>)
escribió:
… @spassarop <https://github.com/spassarop> - you are the expert on these
internal details so I trust your analysis. I think our only real option
here, if you want to investigate is replacing the CSS parser with something
newer, more transparent, more open, but that's up to you. There are a
number of won't fix, like this that are all stuck because of Batik. If you
decide to research, open an issue like: "Investigate replacing Batik CSS".
And you can link that ticket to all the won't fixes caused by Batik doing
things internally we can' see/change/affect. We should maybe even create
that ticket even if you don't want to spend time actually investigating
this, just to link all the related issues together.
—
Reply to this email directly, view it on GitHub
<#286 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHL3BMMZNWY7ZBP42TRQG5DWT7UWVANCNFSM6AAAAAAT52ZE3I>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Thank you @spassarop and @davewichers for the detailed clarification, even if we use some other css parser instead of batik css, is there any possibilities on supporting custom css variables in antisamy. My organisation is using CSS Parser 0.9.20. I don't know whether it has support or not, but will I can't work with the variables in that either. |
I can't discard the possibility that there is a working parser with that feature. But as Dave wrote, that needs intense research to find out if all current features are available. Also if such library exists, a strong refactoring and testing process must be carried on because the current code is tightly coupled with Batik-CSS. Anyway, until that happens, there is no way AntiSamy can be adapted to support CSS variables. |
I'm linking the new issue #293 as suggested. |
I want to whitelist the custom css properties in my page and I can't find any reference for the custom css properties to write in my policy file, can anyone provide me with a clarificarion.
The text was updated successfully, but these errors were encountered: