Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZCS-10594/TSS-18404: Fix for emails not displaying correctly. #2

Merged
merged 2 commits into from
Jun 7, 2021
Merged

ZCS-10594/TSS-18404: Fix for emails not displaying correctly. #2

merged 2 commits into from
Jun 7, 2021

Commits on May 28, 2021

  1. ZCS-10594: Fix for emails not displaying correctly. 

    In the classic UI, investigated why the links as displayed in the screenshots
are coming over the edge and the css rules are not getting applied to it. Found
that the actual issue for the Glassdoor e-mails in the classic UI is causing due
to the following media queries in the style tag:
@media not all and (pointer:coarse){.css-8=
bsfb:hover{background-color:#056b27;border-color:#056b27;color:#fff !import=
ant;}}

When I tried to remove the above code and imported the Mimes, all the new
imported mimes were getting rendered properly. Looked into the antisamy.xml
file and the tag and attribute policies related to style and media. I tried
changing and removing the policies related to it but there was no effect of
those.

I also tried upgrading to 1.6.3 but still having the same issue.

The problem is causing not because of the OWASP but it's in the antisamy library
during the serialization. During sanitization the above media queries were not
removed but while antisamy library tries to perform the serialization of the
document fragment those media queries are getting stripped off. For serialization
antisamy is dependent on to another third party library which is causing the issue
org.apache.xml.serialize.HTMLSerializer.

This is reported and accepted as a bug in the antisamy library, so anythinh which
comes ahead of the "@" symbol it gets stripped out.
Reported Bug: org.apache.xml.serialize.HTMLSerializer
I have also updated bug as per our issue.

In the org.owasp.validator.html.scan.AntiSamyDOMScanner class, I was having the expected
string prior to serialization and after the org.apache.xml.serialize.HTMLSerializer has
done the serialization to the DocumentFragment whatever it was after the "@" symbol got
stripped off in the style tag.

Fix: Introduces an "if-else" condition to selectively serialize the DocumentFragment only
if doesn't contains any "@" symbol otherwise append it to the StringWriter, which seems to
fix our issue until we get a fix for bug from antisamy. Also, looking for HTMLSerializer
which can handle the media queries in the style sheet.
    @log2akshat
    log2akshat committed May 28, 2021
    Configuration menu
    Copy the full SHA
    31b4c10 View commit details
    Browse the repository at this point in the history

Commits on Jun 2, 2021

  1. ZCS-10594: Addressing review comments.

    @log2akshat
    log2akshat committed Jun 2, 2021
    Configuration menu
    Copy the full SHA
    46376e1 View commit details
    Browse the repository at this point in the history