[Owasp-leaders] HTML Sanitizer for Java project

Jim Manico jim.manico at owasp.org
Mon Feb 20 02:03:05 UTC 2012

We've hit a few milestones at the OWASP HTML Sanitizer project (for Java) that I'm happy to announce.

First of all, the HTML Sanitizer project for Java is a donation from Mike Samuel of Google's AppSec team. This project handles the same security use-case that AntiSamy addresses but takes a different engineering route to accomplish the task. And of course, that task is real-time HTML validation in order to protect a web app from XSS when request parameter input is a chunk of HTML, submitted from widgets like TinyMCE.

The main goal of the project was to achieve this task with high performance, low memory utilization and minimal 3rd party libraries. Mike actually wrote an HTML parser from scratch to accomplish this task (extracted from the Google CAJA project).

More about the project here:


1) We have had several security researches provide suggestions via our CanYouXSSThis.com demo (Thanks for building this site August Detlefsen). All suggestions have been integrated into the latest version.
2) We un-officially consider this project to be at BETA status. This project has not been reviewed by the project committee, this is just our personal opinion on the project status.
3) More changes here: https://code.google.com/p/owasp-java-html-sanitizer/updates/list 

Thanks all,

Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org

More information about the OWASP-Leaders mailing list