[Owasp-antisamy] can antisamy maintain case in output?
Joel Worrall
jworrall at mzinga.com
Mon Apr 28 18:05:52 EDT 2008
I've run into an issue/feature with AntiSamy where it appears to automatically lower-case input.
If I input a value of:
<B>Hello World!</B>
AntiSamy outputs:
<b>Hello World!</b>
The example is trivial, but the implecations are significant for my project, where some of the valid input I process is camel-cased XML. Why is it doing this? Is there any way to stop this? I have input I'm parsing that I would prefer remains in camel case.
FYI, here is the code I'm using to scrub the content and write it to a new string:
import java.io.File;
import java.io.StringWriter;
import java.util.Properties;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerException;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.xalan.processor.TransformerFactoryImpl;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class TestXSS {
/**
* @param args
*/
public static void main(String[] args) {
// TODO Auto-generated method stub
try {
AntiSamy antisamy = new AntiSamy();
String strObjValue = "<B>Hello World!</B>";
File f = new File("webdocs/WEB-INF/config/antisamy.xml");
if (!f.exists()) {
System.err.println("No file: " + f.getAbsolutePath());
System.exit(-1);
}
System.out.println("Loading " + f.getAbsolutePath());
CleanResults cr = antisamy.scan(strObjValue, Policy.getInstance(f));
// serialize the result into text
StringWriter sw = new StringWriter();
TransformerFactory tfactory = new TransformerFactoryImpl();
Transformer serializer = tfactory.newTransformer();
Properties oprops = serializer.getOutputProperties();
oprops.put("method", "HTML");
oprops.put("encoding", "UTF-8");
oprops.put("omit-xml-declaration", "yes");
oprops.put("indent", "no");
oprops.put("standalone", "yes");
oprops.put("{http://xml.apache.org/xalan}indent-amount", "0");
// com.knowledgeplanet.xml.serializer.SimpleEntities is a custom file added to the xalan serializer jar.
oprops.put("{http://xml.apache.org/xalan}entities","com.knowledgeplanet.xml.serializer.SimpleEntities");
serializer.setOutputProperties(oprops);
serializer.transform(new DOMSource(cr.getCleanXMLDocumentFragment()),new StreamResult(sw));
strObjValue = sw.toString();
System.out.println(cr.getCleanHTML());
System.out.println(strObjValue);
if (cr.getNumberOfErrors() > 0) {
System.out.println(cr.getErrorMessages().get(0).toString());
}
} catch (Exception e) {
e.printStackTrace(System.err);
}
}
}
Output is:
Loading C:\dev\code\Core\HEAD\engineering\lms\Project\webdocs\WEB-INF\config\antisamy.xml
<b>Hello World!</b>
<b>Hello World!</b>
Thanks for the assistance in advance,
joel
Joel Worrall
Director of Development
Learning & Workplace Communities
Mzinga
5095 Ritter Road * Mechanicsburg, PA 17055
---------------------------------------------------
Learn more: http://mzinga.com/v/jworrall/
Toll Free: 888.MZINGA.8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080428/7cb59339/attachment-0001.html
More information about the Owasp-antisamy
mailing list