Closed Bug 1172570 Opened 10 years ago Closed 10 years ago

Output encoding at the CSS context does not render well in firefox (eg: background:\000023FFCCCC;)

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
37 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gmaran23, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; InfoPath.3; rv:11.0) like Gecko Steps to reproduce: Sample Code: <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> <style> body { background:\000023FFCCCC; font-family:Arial; font-size:15px; } </style> </head> <body> <p>Test</p> </body> </html> Actual results: In the CSS console displays "Expected color but found '\#FFCCCC'. Error in parsing value for 'background'. Declaration dropped." Expected results: background:\000023FFCCCC; should have been parsed as background:#FFCCCC; as \000023 is the css encoding for #. The same html POC works well with other browsers.
It's a bug in those other browsers (although I'd concede the spec isn't all that clear); colors in #rrggbb form must be a hash token as described in: http://dev.w3.org/csswg/css2/syndata.html#tokenization
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
(Is the behavior in those other browsers quirks-mode-only?)
Chrome has the buggy behavior in both modes. Safari has it only in quirks mode. IE seems to do it in both modes. Presto Opera gets this right in both modes.
David, I agree the spec isn't all that clear. To give you a little background of why we are trying to do this, please refer to the stackoverflow lin k- http://stackoverflow.com/questions/30651150/unable-to-use-encoded-escaped-css-values-with-firefox When we try to output encode to a CSS context with a proven library like the Microsoft Antixss.Encoder.CssEncode(), or the OWASP ESAPI library encoder().encodeForCSS(), they output to a CSS context to prevent script injections in CSS. Reference implementation - http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/CSSCodec.java It qualifies to a valid usecase for firefox to parse the CSS-output encoded string to a color value. Although I might be horribly wrong there. Apparently Firefox does attempt to decode the value \000023FFCCCC; as \#FFCCCC, however the leading \ appeals as a spoiler. What's your thoughts?
You need to log in before you can comment on or make changes to this bug.