Merge pull request #7 from spassarop/develop

Add v1.0.3 changes

.github/workflows/codeql-analysis.yml

@@ -17,8 +17,8 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ develop ]
-  schedule:
-    - cron: '28 12 * * 4'
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
 
 jobs:
   evaluate_action_skip:

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2020, spassarop
+Copyright (c) 2021, spassarop
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

OWASP.AntiSamy/AntiSamyPolicyExamples/antisamy-anythinggoes.xml

@@ -1,12 +1,10 @@
 <?xml version="1.0" encoding="ISO-8859-1" ?>
 
-
 <!--
 W3C rules retrieved from:
 http://www.w3.org/TR/html401/struct/global.html
 -->
 
-
 <anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 		xsi:noNamespaceSchemaLocation="antisamy.xsd">
 
@@ -102,8 +100,8 @@ http://www.w3.org/TR/html401/struct/global.html
 		<regexp name="angle" value="(-|\+)?([0-9]+(\.[0-9]+)?)(deg|grads|rad)"/>
 		<regexp name="time" value="([0-9]+(\.[0-9]+)?)(ms|s)"/>
 		<regexp name="frequency" value="([0-9]+(\.[0-9]+)?)(hz|khz)"/>
-		<regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(\.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
-		<regexp name="positiveLength" value="((\+)?0|(\+)?([0-9]+(\.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
+    <regexp name="length" value="((-|\+)?0|(-|\+)?([0-9]+(\.[0-9]+)?([eE][+-]?[0-9]+)?)(rem|vw|vh|em|ex|px|in|cm|mm|pt|pc))"/>
+    <regexp name="positiveLength" value="((\+)?0|(\+)?([0-9]+(\.[0-9]+)?([eE][+-]?[0-9]+)?)(rem|vw|vh|em|ex|px|in|cm|mm|pt|pc))"/>
 		<regexp name="percentage" value="(-|\+)?([0-9]+(\.[0-9]+)?)%"/>
 		<regexp name="positivePercentage" value="(\+)?([0-9]+(\.[0-9]+)?)%"/>
 
@@ -136,7 +134,6 @@ http://www.w3.org/TR/html401/struct/global.html
 
 	<common-attributes>
 
-
 		<!-- Common to all HTML tags  -->
 
 		<attribute name="id" description="The 'id' of any HTML attribute should not contain anything besides letters and numbers">
@@ -153,9 +150,10 @@ http://www.w3.org/TR/html401/struct/global.html
 
 		<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
 		 	<regexp-list>
-		 		<regexp value="[a-zA-Z]{2,20}"/>
+		 		<regexp value="[a-zA-Z0-9-]{2,20}"/>
 		 	</regexp-list>
 		 </attribute>
+
 		 <attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
 		 	<regexp-list>
 		 		<regexp name="htmlTitle"/>
@@ -168,7 +166,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 	</regexp-list>
 		 </attribute>
 
-
  		<!-- the "style" attribute will be validated by an inline stylesheet scanner, so no need to define anything here - i hate having to special case this but no other choice -->
 		 <attribute name="style" description="The 'style' attribute provides the ability for users to change many attributes of the tag's contents using a strict syntax"/>
 
@@ -190,7 +187,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 	</literal-list>
 		 </attribute>
 
-
 		 <!-- Anchor related -->
 
 		 <!--  onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
@@ -222,7 +218,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 	</regexp-list>
 		 </attribute>
 
-
 		<attribute name="shape" description="The 'shape' attribute defines the shape of the selectable area">
 			<literal-list>
 				<literal value="default"/>
@@ -232,8 +227,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</literal-list>
 		</attribute>
 
-
-
 		<!--  Table attributes  -->
 
 		<attribute name="border">
@@ -303,7 +296,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</regexp-list>
 		 </attribute>
 
-
 		<attribute name="axis" description="The 'headers' attribute is a comma-separated list of related header cells">
 		 	<regexp-list>
 			 	<regexp value="[a-zA-Z0-9\s*,]*"/>
@@ -317,7 +309,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</regexp-list>
 		</attribute>
 
-
 		<!--  Common positioning attributes  -->
 
 		<attribute name="width">
@@ -352,8 +343,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</literal-list>
 		</attribute>
 
-
-
 		<!-- Intrinsic JavaScript Events -->
 
 		<attribute name="onFocus" description="The 'onFocus' event is executed when the control associated with the tag gains focus">
@@ -414,8 +403,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 	</literal-list>
 		 </attribute>
 
-
-
 		 <!-- If you want users to be able to mess with tabindex, uncomment this -->
 		 <!--
 		 <attribute name="tabindex" description="...">
@@ -425,7 +412,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 </attribute>
 		  -->
 
-
 		 <!-- Input/form related common attributes -->
 
 		 <attribute name="disabled">
@@ -452,7 +438,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		 	</regexp-list>
 		 </attribute>
 
-
 		<attribute name="autocomplete">
 			<literal-list>
 				<literal value="on"/>
@@ -474,7 +459,6 @@ http://www.w3.org/TR/html401/struct/global.html
 
 	</common-attributes>
 
-
 	<!--
 	This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
 	this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
@@ -513,22 +497,17 @@ http://www.w3.org/TR/html401/struct/global.html
 		<!-- since we're validating the style sheets this is safe to have - switch to "truncate" if the user's html will appear in the html body -->
 		<tag name="title" action="truncate"/>
 
-
 		<!-- Tags related to JavaScript -->
 
 		<tag name="script" action="remove"/>
 		<tag name="noscript" action="validate"/> <!-- although no javascript can fire inside a noscript tag, css is still a viable attack vector -->
 
-
-
 		<!-- Frame & related tags -->
 
 		<tag name="iframe" action="remove"/>
 		<tag name="frameset" action="remove"/>
 		<tag name="frame" action="remove"/>
 
-
-
 		<!-- Form related tags -->
 
 		<tag name="label" action="validate">
@@ -539,7 +518,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</attribute>
 		</tag>
 
-
 		<!--
 			If you wish to enable any of the form related tags, change the tag's action below from "filter" or "remove" to "validate". The attributes have been
 			hardened so this is safe to do, if it's something you want to allow. Beware the <><ing possibilities!
@@ -697,9 +675,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			<attribute name="accesskey"/>
 		</tag>
 
-
-
-
 		<!-- All formatting tags -->
 
 		<tag name="h1" action="validate"/>
@@ -760,7 +735,6 @@ http://www.w3.org/TR/html401/struct/global.html
 			</attribute>
 		</tag>
 
-
 		<!-- Anchor and anchor related tags -->
 
 		<tag name="a" action="validate">
@@ -792,8 +766,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		</tag>
 		-->
 
-
-
 		<!-- Stylesheet Tags -->
 
 		<tag name="style" action="validate">
@@ -814,10 +786,6 @@ http://www.w3.org/TR/html401/struct/global.html
 		<!-- <attribute name="id"/>  what could an attacker do if they could overwrite an existing div definition? prolly something bad -->
 		<!-- <attribute name="class"/> what could an attacker do if they could specify any class in the namespace? prolly something bad -->
 
-
-
-
-
 		<!-- Image & image related tags -->
 
 		<tag name="img" action="validate">
@@ -876,28 +844,18 @@ http://www.w3.org/TR/html401/struct/global.html
 			</attribute>
 		</tag>
 
-
-
-
-
 		<!-- List tags -->
 
 		<tag name="ul" action="validate"/>
 		<tag name="ol" action="validate"/>
 		<tag name="li" action="validate"/>
 
-
-
-
 		<!-- Dictionary tags -->
 
 		<tag name="dd" action="truncate"/>
 		<tag name="dl" action="truncate"/>
 		<tag name="dt" action="truncate"/>
 
-
-
-
 		<!-- Table tags (tbody, thead, tfoot)-->
 
 		<tag name="thead" action="validate">
@@ -1015,7 +973,6 @@ http://www.w3.org/TR/html401/struct/global.html
 
 	</tag-rules>
 
-
 	<!--  CSS validation processing rules  -->
 
 	<css-rules>
@@ -2573,7 +2530,6 @@ http://www.w3.org/TR/html401/struct/global.html
 				<literal value="monospace"/>
 			</literal-list>
 
-
 			<regexp-list>
 				<regexp value="[\w,\-&apos;&quot; ]+"/>
 			</regexp-list>