[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Jun 12 12:57:38 EDT 2008


There are two reasons why we allow arbitrary HTTP URLs:

1.	
	It's the Slashdot policy file, so we do exactly what Slashdot does.
2.	
	That is the point of AntiSamy in general: to allow rich input.

You can lock down a policy file as much as you want, but the more you lock it down, the less useful it is to your users. If you prevent URL parameters from being in a URL, users can't put up a link to a CNN article, or their profile page on a social network, etc.

Hope that helps.

Cheers,
Arshan


________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
Sent: Thu 6/12/2008 11:35 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters



Hi,
By default both onsiteURL and offsiteURL accept url with parameters,
for example, the following link:

<a href="http://mysite.com?first=12345&second=34567 <http://mysite.com/?first=12345&second=34567> ">click here</a>

would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
an attacked shouldn't be able to dynamically craft the url, it would
be a fixed one, reducing the risk of sending arbitrary parameters to a
site and also the designer has the ability to change the policy file
and disallow this.

However my question is, shouldn't the default policies be stricter and
disallow this by default? What are the reasons to allow it by default?

Thanks,
Carlos
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080612/4befbd8c/attachment.html 


More information about the Owasp-antisamy mailing list