[Owasp-antisamy] Can antisamy scrub more then html/css
Arshan Dabirsiaghi
arshan.dabirsiaghi at aspectsecurity.com
Fri Mar 20 09:14:15 EDT 2009
Not currently. AntiSamy only "guarantees" safety when you stick raw AntiSamy output between a start and end tag - that is the use case. Any other context and it's not reliable. If you want to stick AntiSamy output into a textbox, you can simply HTML-encode it and it should be fine.
For more information on HTML contexts and XSS, check out this article at OWASP (very worth the read):
https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Hope that helps!
Arshan
________________________________
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Eric Kreiser
Sent: Fri 3/20/2009 9:00 AM
To: Owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Can antisamy scrub more then html/css
so a standard xss issue is if the user enters something which is not
html... but when combined with html would be a vulnerability. For
instance
x" onmouseover=alert(something)
does antisamy have a solution for this?
Thanks
Eric
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090320/db579b1c/attachment.html
More information about the Owasp-antisamy
mailing list