[Owasp-antisamy] Can antisamy scrub more then html/css
arshan.dabirsiaghi at aspectsecurity.com
Fri Mar 20 09:14:15 EDT 2009
Not currently. AntiSamy only "guarantees" safety when you stick raw AntiSamy output between a start and end tag - that is the use case. Any other context and it's not reliable. If you want to stick AntiSamy output into a textbox, you can simply HTML-encode it and it should be fine.
For more information on HTML contexts and XSS, check out this article at OWASP (very worth the read):
Hope that helps!
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Eric Kreiser
Sent: Fri 3/20/2009 9:00 AM
To: Owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Can antisamy scrub more then html/css
so a standard xss issue is if the user enters something which is not
html... but when combined with html would be a vulnerability. For
does antisamy have a solution for this?
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy