allow hyphens in font family name (OWASP#90)

* allow hyphens in font family name * test for — font name

Author: pukomuko

src/main/java/org/owasp/html/StylingPolicy.java

@@ -155,7 +155,7 @@ public void quotedString(String token) {
  if ((meaning & (meaning - 1)) == 0) { // meaning is unambiguous
  if (meaning == CssSchema.BIT_UNRESERVED_WORD
  && token.length() > 2
- && isAlphanumericOrSpace(token, 1, token.length() - 1)) {
+ && isAlphanumericOrSpaceOrHyphen(token, 1, token.length() - 1)) {
  emitToken(Strings.toLowerCase(token));
  } else if (meaning == CssSchema.BIT_URL) {
  // convert to a URL token and hand-off to the appropriate method
@@ -232,7 +232,7 @@ public void endFunction(String token) {
  return sanitizedCss.length() == 0 ? null : sanitizedCss.toString();
  }
 
- static boolean isAlphanumericOrSpace(
+ static boolean isAlphanumericOrSpaceOrHyphen(
  String token, int start, int end) {
  for (int i = start; i < end; ++i) {
  char ch = token.charAt(i);
@@ -243,7 +243,8 @@ static boolean isAlphanumericOrSpace(
  } else {
  int chLower = ch | 32;
  if (!(('0' <= chLower && chLower <= '9')
- || ('a' <= chLower && chLower <= 'z'))) {
+ || ('a' <= chLower && chLower <= 'z')
+ || ('-' == ch))) {
  return false;
  }
  }

src/test/java/org/owasp/html/StylingPolicyTest.java

@@ -129,6 +129,9 @@ public static final void testFontFace() {
  assertSanitizedCss(
  "font-family:'arial bold' , , , 'helvetica' , sans-serif",
  "font-family: 'Arial Bold',,\"\",Helvetica,sans-serif");
+ assertSanitizedCss(
+ "font:'chalkboardse-light' , 'helvetica' , monospace",
+ "FONT: \"ChalkboardSE-Light\", Helvetica, monospace");
  }
 
  @Test
@@ -151,6 +154,8 @@ public static final void testFont() {
  null, "font: rgb(\"expression(alert(1337))//\")");
  assertSanitizedCss("font-size:smaller", "font-size: smaller");
  assertSanitizedCss("font:smaller", "font: smaller");
+ assertSanitizedCss("font:'chalkboardse-light'", "font: 'ChalkboardSE-Light'");
+ assertSanitizedCss(null, "font: '---");
  }
 
  @Test