[Owasp-antisamy] HTML Sanitization (Tidy), Why?

Sam Daoud sam at rinklefree.com
Fri Dec 21 12:42:12 EST 2007


Jim, Everyone,

I guess the core of the questions is, does HTML have to be valid XML (XHTML)
in order for it to be properly validated against the policy file?

Happy Holidays,
--
Sam Daoud
Direct: 650.360.2233
Cell: 650.454.7711
Skype/IM: rtmedia
sam at rinklefree.com


On 12/12/07, Jim Manico <jim at manico.net> wrote:
>
>  Sam,
>
> If can find a solution to fixing broken HTML and making it compliant XHTML
> while still meeting the original designers intent and exact look and feel on
> all major browsers, let me know so I can invest in your company! I think
> what you are describing is nearly impossible - without changing the
> intention and rendering of the original mark-up  - especially when you get
> into complex rich-client code.
>
> Please anyone correct me if I'm wrong.....
>
> - Jim
>
> Sam Daoud wrote:
>
> Hello,
>
> Why does anti-samy first "clean up" any "broken" HTML before
> parsing/validating it? Is there a true technical need or does it simply make
> for easier parsing?
> With user generated content, I want the user to be able to see the same
> exact (often malformed) HTML they used in entry when they go back to edit.
>
> Can anti-samy or a similar implementation of anti-samy do that while still
> effectively protecting against XSS threat?
>
> Thanks a lot,
> --
> Sam Daoud
> Direct: 650.360.2233
> Cell: 650.454.7711
> Skype/IM: rtmedia
> sam at rinklefree.com
> http://www.RinkleFree.com
>
> ------------------------------
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
> ------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.1/1182 - Release Date: 12/12/2007 11:29 AM
>
>
>
> --
> Best Regards,
> Jim Manico
> VP Software Engineering, Codemagi Inc.
> Application Security Instructor, Aspect Security
> jim at codemagi.com808.652.3805 (c)484.259.3805 (f)
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20071221/32bf7ed2/attachment.html 


More information about the Owasp-antisamy mailing list