[Owasp-antisamy] onsiteURL and offsiteURL accept urls with parameters

Carlos Aguayo carlos.aguayo at gmail.com
Thu Jun 12 11:35:06 EDT 2008

By default both onsiteURL and offsiteURL accept url with parameters,
for example, the following link:

<a href="http://mysite.com?first=12345&second=34567">click here</a>

would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
an attacked shouldn't be able to dynamically craft the url, it would
be a fixed one, reducing the risk of sending arbitrary parameters to a
site and also the designer has the ability to change the policy file
and disallow this.

However my question is, shouldn't the default policies be stricter and
disallow this by default? What are the reasons to allow it by default?


More information about the Owasp-antisamy mailing list