[Owasp-antisamy] AntiSamy 1.1.1 is out!

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 16 14:27:03 EDT 2008

Also, Serge gave a lot of useful insight into the Unicode issues and
discovered that Railo has its limitations:



From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Arshan
Sent: Wednesday, April 16, 2008 11:56 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] AntiSamy 1.1.1 is out!


AntiSamy users,

I'm happy to say there's a new version of AntiSamy
<http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project>  out
today! There were many more changes between 1.1 and 1.1.1 than there
were from 1.0 to 1.1! And I'm thrilled about that, if that makes any
sense - it means that usage really grew! Many international users made
requests and e-mailed fixes to the mailing list. Also, some other folks
expressed interest in figuring out better and more consistent HTML
entity translation. Hopefully everyone will be happy as I feel like I've
addressed almost all of the open issues and even included a few
enhancements. In the future, if you find a problem, I suggest you email
the mailing list <https://lists.owasp.org/pipermail/owasp-antisamy/>  to
get my attention, but also fill out an issue on the project issues
<http://code.google.com/p/owaspantisamy/issues/list>  page. You can test
out the 1.1.1 version on the AntiSamy test page
<http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp> .

Also, as of the new 1.1.1 version, AntiSamy is being shipped with the
OWASP ESAPI project <http://www.owasp.org/index.php/ESAPI>  - ESAPI can
officially do everything now! Anyway, it's ready for download from the
project page <http://code.google.com/p/owaspantisamy/downloads/list> .
Here's the official changelist:

?        Began using (X)HTMLSerializer instead of XMLSerializer to
recognize HTML entities

?        Removed any invalid XML characters before processing in order
to avoid XML exceptions (thanks to Gareth Heyes, Michael Coates, et. al.
who discovered independently)

?        Fixed code to remove any lingering Java 1.5 dependencies (for
real this time)

?        Cleaned up AntiSamy() main method to be a little more organized

?        Fixed the "dangling quote" scenario which could cause XSS if a
getCleanHTML() call ended up inside a textbox value attribute

?        Added *true* XHTML support with new directive in policy file

?        Introduced the ability to specify encoding for input and output
(will still rely on you setting your page charsets appropriately though)

?        Made the policy files tolerant of non-latin characters for i18n

?        Removed automatic HTML entity translation support (HTML
entities are international, ASCII character code points (e.g.  ) aren't)

?        Upgraded nekohtml to version 1.9.7

?        Upgraded Xerces to 2.9.1

Many thanks for all the help from those who spent their time since 1.1
making AntiSamy a better tool. I'd like to send extra special thanks to
Joel Worral and Raziel Alvarez for their diligent research. I owe you
guys much beer/wine/whatever you drink in your part of the world!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080416/3898d1c8/attachment.html 

More information about the Owasp-antisamy mailing list