[Owasp-antisamy] can antisamy maintain case in output?

Joel Worrall jworrall at mzinga.com
Mon Apr 28 18:05:52 EDT 2008

I've run into an issue/feature with AntiSamy where it appears to automatically lower-case input.

If I input a value of:

 <B>Hello World!</B>

AntiSamy outputs:

<b>Hello World!</b>

The example is trivial, but the implecations are significant for my project, where some of the valid input I process is camel-cased XML. Why is it doing this? Is there any way to stop this? I have input I'm parsing that I would prefer remains in camel case.

FYI, here is the code I'm using to scrub the content and write it to a new string:

import java.io.File;
import java.io.StringWriter;
import java.util.Properties;

import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerException;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;

import org.apache.xalan.processor.TransformerFactoryImpl;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;

public class TestXSS {

       * @param args
      public static void main(String[] args) {
            // TODO Auto-generated method stub
            try {
                  AntiSamy antisamy = new AntiSamy();

                  String strObjValue = "<B>Hello World!</B>";
                  File f = new File("webdocs/WEB-INF/config/antisamy.xml");
                  if (!f.exists()) {
                        System.err.println("No file: " + f.getAbsolutePath());
                  System.out.println("Loading " + f.getAbsolutePath());
                  CleanResults cr = antisamy.scan(strObjValue, Policy.getInstance(f));
                  //          serialize the result into text
                  StringWriter sw = new StringWriter();
                  TransformerFactory tfactory = new TransformerFactoryImpl();
                  Transformer serializer = tfactory.newTransformer();
                  Properties oprops = serializer.getOutputProperties();
                  oprops.put("method", "HTML");
                  oprops.put("encoding", "UTF-8");
                  oprops.put("omit-xml-declaration", "yes");
                  oprops.put("indent", "no");
                  oprops.put("standalone", "yes");
                  oprops.put("{http://xml.apache.org/xalan}indent-amount", "0");
      //          com.knowledgeplanet.xml.serializer.SimpleEntities is a custom file added to the xalan serializer jar.
                  serializer.transform(new DOMSource(cr.getCleanXMLDocumentFragment()),new StreamResult(sw));
                  strObjValue = sw.toString();
                  if (cr.getNumberOfErrors() > 0) {
            } catch (Exception e) {


Output is:

Loading C:\dev\code\Core\HEAD\engineering\lms\Project\webdocs\WEB-INF\config\antisamy.xml
<b>Hello World!</b>

<b>Hello World!</b>

Thanks for the assistance in advance,

Joel Worrall
Director of Development
Learning & Workplace Communities
5095 Ritter Road * Mechanicsburg, PA  17055
Learn more:  http://mzinga.com/v/jworrall/
Toll Free:  888.MZINGA.8

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080428/7cb59339/attachment-0001.html 

More information about the Owasp-antisamy mailing list