[Owasp-antisamy] Requiring valid XHTML from users

Dan Cornell dan at denimgroup.com
Wed Nov 28 08:21:51 EST 2007

Below is a thread that started on another list that should probably be continued here:

> Why should malformed html be accepted?  In fact I'll take that a step 
> further and say why not require xhtml?  Granted, there are instances 
> were that may be a shift for an existing web site, but otherwise I 
> think this is not such a large requirement.

This gets into issues of security versus usability and risk mitigation versus risk avoidance.  The point of AntiSamy is that sites DO have to accept HTML and other potentially scary content from users and even legitimate users are really bad at making things clean and correct.  

Requiring valid XHTML from users would be great, but I have some well-trained, well-paid, very talented web developers I work with and I struggle to get THEM to make valid XHTML from time to time.  Expecting the unwashed masses of eBay, Facebook, MySpace, etc users to create valid HTML is just going to result in frustrated users and lost market share for sites enforcing that requirement.

Having a solution like AntiSamy that can deal with junky inputs and degrades gracefully as the requirements for usability increase is preferable to an all-or-nothing approach that either relies on having user-unacceptable standards or error-prone blacklists.



Dan Cornell | Principal
3463 Magic Drive, Suite 315 
San Antonio, Texas 78229
office 210.572.4400
cellular 210.859-0921
DENIM GROUP | Build Integrate Secure

More information about the Owasp-antisamy mailing list