[Owasp-antisamy] AntiSamy 1.1.1 is out!

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 16 11:55:42 EDT 2008


AntiSamy users,

I'm happy to say there's a new version of AntiSamy
<http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project>  out
today! There were many more changes between 1.1 and 1.1.1 than there
were from 1.0 to 1.1! And I'm thrilled about that, if that makes any
sense - it means that usage really grew! Many international users made
requests and e-mailed fixes to the mailing list. Also, some other folks
expressed interest in figuring out better and more consistent HTML
entity translation. Hopefully everyone will be happy as I feel like I've
addressed almost all of the open issues and even included a few
enhancements. In the future, if you find a problem, I suggest you email
the mailing list <https://lists.owasp.org/pipermail/owasp-antisamy/>  to
get my attention, but also fill out an issue on the project issues
<http://code.google.com/p/owaspantisamy/issues/list>  page. You can test
out the 1.1.1 version on the AntiSamy test page
<http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp> .

Also, as of the new 1.1.1 version, AntiSamy is being shipped with the
OWASP ESAPI project <http://www.owasp.org/index.php/ESAPI>  - ESAPI can
officially do everything now! Anyway, it's ready for download from the
project page <http://code.google.com/p/owaspantisamy/downloads/list> .
Here's the official changelist:

*	Began using (X)HTMLSerializer instead of XMLSerializer to
recognize HTML entities
*	Removed any invalid XML characters before processing in order to
avoid XML exceptions (thanks to Gareth Heyes, Michael Coates, et. al.
who discovered independently)
*	Fixed code to remove any lingering Java 1.5 dependencies (for
real this time)
*	Cleaned up AntiSamy() main method to be a little more organized
*	Fixed the "dangling quote" scenario which could cause XSS if a
getCleanHTML() call ended up inside a textbox value attribute
*	Added *true* XHTML support with new directive in policy file
("useXHTML"
*	Introduced the ability to specify encoding for input and output
(will still rely on you setting your page charsets appropriately though)
*	Made the policy files tolerant of non-latin characters for i18n
support
*	Removed automatic HTML entity translation support (HTML entities
are international, ASCII character code points (e.g.  ) aren't)
*	Upgraded nekohtml to version 1.9.7
*	Upgraded Xerces to 2.9.1

Many thanks for all the help from those who spent their time since 1.1
making AntiSamy a better tool. I'd like to send extra special thanks to
Joel Worral and Raziel Alvarez for their diligent research. I owe you
guys much beer/wine/whatever you drink in your part of the world!

Cheers,

Arshan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080416/2d6dcc30/attachment.html 


More information about the Owasp-antisamy mailing list