RGBA values in styles are removed by AntiSamy

Question

HTML

<text x="457.87" y="334.21" style="fill: rgba(0,0,0,1);">Analyst</text>

Reg Exp for RGBA

<regexp name="rgbaCode"
                value="rgba\\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),(0|1|(0.[0-9]+))\\)" />

config.xml

<property name="fill" >
    <regexp-list>
        <regexp name="rgbaCode" />
    </regexp-list>
</property>

With this set up, fill CSS property is getting removed from the clean HTML. I want AntiSamy should retain rgba values in the clean HTML. I have tested the regular expression and it works well. Even I changed the regulaer expression to accept anything (.*), but that too did not work for me.

I am clue less. Where am I going wrong?

Answer 1

Update: It appears that AntiSamy relies on Apache Batik to parse styles, and Batik can't handle RGBA values (according to SVG Essentials 2nd Edition on Safari Books: https://www.safaribooksonline.com/library/view/svg-essentials-2nd/9781491945308/ch04.html). So it won't be possible to use RGBA with AntiSamy. Have you tried the OWASP HtmlSanitizer as an alternative?

Original answer: Have you configured AntiSamy to allow the style attribute on the text tag? CSS rules are just used for extra validation of styles.

Eg in the tag-rules section:

<tag name="text" action="validate">
  <attribute name="style" onInvalid="filterTag">
    <regexp-list>
      <regexp value="[-a-zA-Z0-9:_ ;]*"/>
    </regexp-list>
  </attribute>
</tag>

AntiSamy will then go on to apply your CSS rules as well.