[Owasp-antisamy] HTML Sanitization (Tidy), Why?

Jim Manico jim at manico.net
Sat Dec 22 04:12:54 EST 2007


Sam,

If you take a look at Arshan's demo site at
http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp you will notice that
even small snippets of HTML will be accepted that are not fully
compliant XHTML.

It's rather easy to set this up on your own site. Give it a try!

- Jim
> Jim, Everyone,
>
> I guess the core of the questions is, does HTML have to be valid XML
> (XHTML) in order for it to be properly validated against the policy file?
>
> Happy Holidays,
> --
> Sam Daoud
> Direct: 650.360.2233
> Cell: 650.454.7711
> Skype/IM: rtmedia
> sam at rinklefree.com <mailto:sam at rinklefree.com>
>
>
> On 12/12/07, *Jim Manico* < jim at manico.net <mailto:jim at manico.net>>
> wrote:
>
>     Sam,
>
>     If can find a solution to fixing broken HTML and making it
>     compliant XHTML while still meeting the original designers intent
>     and exact look and feel on all major browsers, let me know so I
>     can invest in your company! I think what you are describing is
>     nearly impossible - without changing the intention and rendering
>     of the original mark-up  - especially when you get into complex
>     rich-client code.
>
>     Please anyone correct me if I'm wrong.....
>
>     - Jim
>
>     Sam Daoud wrote:
>>     Hello,
>>
>>     Why does anti-samy first "clean up" any "broken" HTML before
>>     parsing/validating it? Is there a true technical need or does it
>>     simply make for easier parsing?
>>     With user generated content, I want the user to be able to see
>>     the same exact (often malformed) HTML they used in entry when
>>     they go back to edit.
>>
>>     Can anti-samy or a similar implementation of anti-samy do that
>>     while still effectively protecting against XSS threat?
>>
>>     Thanks a lot,
>>     --
>>     Sam Daoud
>>     Direct: 650.360.2233
>>     Cell: 650.454.7711
>>     Skype/IM: rtmedia
>>     sam at rinklefree.com <mailto:sam at rinklefree.com>
>>     http://www.RinkleFree.com
>>     ------------------------------------------------------------------------
>>
>>     _______________________________________________
>>     Owasp-antisamy mailing list
>>     Owasp-antisamy at lists.owasp.org
>>      <mailto:Owasp-antisamy at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>       
>>     ------------------------------------------------------------------------
>>
>>     No virus found in this incoming message.
>>     Checked by AVG Free Edition. 
>>     Version: 7.5.503 / Virus Database: 269.17.1/1182 - Release Date: 12/12/2007 11:29 AM
>>       
>
>     -- 
>     Best Regards,
>     Jim Manico
>     VP Software Engineering, Codemagi Inc.
>     Application Security Instructor, Aspect Security
>
>     jim at codemagi.com <mailto:jim at codemagi.com>
>     808.652.3805 (c)
>     484.259.3805 (f)
>
>
>     _______________________________________________
>     Owasp-antisamy mailing list
>     Owasp-antisamy at lists.owasp.org
>     <mailto:Owasp-antisamy at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.516 / Virus Database: 269.17.5/1191 - Release Date: 12/20/2007 2:14 PM
>   

-- 
Best Regards,
Jim Manico
VP Software Engineering, Codemagi Inc.
Application Security Instructor, Aspect Security
jim at codemagi.com
808.652.3805 (c)
484.259.3805 (f)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20071221/4d82bc18/attachment.html 


More information about the Owasp-antisamy mailing list