[Owasp-antisamy] can antisamy maintain case in output?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Sat May 24 20:14:52 EDT 2008

I will consider adding this as a directive in the policy file. Can you enter it into the Google Code issues page?


From: owasp-antisamy-bounces at lists.owasp.org on behalf of Joel Worrall
Sent: Mon 4/28/2008 6:05 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] can antisamy maintain case in output?

I've run into an issue/feature with AntiSamy where it appears to automatically lower-case input. 


If I input a value of:


 <B>Hello World!</B>


AntiSamy outputs:


<b>Hello World!</b>


The example is trivial, but the implecations are significant for my project, where some of the valid input I process is camel-cased XML. Why is it doing this? Is there any way to stop this? I have input I'm parsing that I would prefer remains in camel case.


FYI, here is the code I'm using to scrub the content and write it to a new string:


import java.io.File;

import java.io.StringWriter;

import java.util.Properties;


import javax.xml.transform.Transformer;

import javax.xml.transform.TransformerFactory;

import javax.xml.transform.TransformerException;

import javax.xml.transform.dom.DOMSource;

import javax.xml.transform.stream.StreamResult;


import org.apache.xalan.processor.TransformerFactoryImpl;

import org.owasp.validator.html.AntiSamy;

import org.owasp.validator.html.CleanResults;

import org.owasp.validator.html.Policy;

import org.owasp.validator.html.PolicyException;

import org.owasp.validator.html.ScanException;


public class TestXSS {



       * @param args


      public static void main(String[] args) {

            // TODO Auto-generated method stub

            try {

                  AntiSamy antisamy = new AntiSamy();


                  String strObjValue = "<B>Hello World!</B>";

                  File f = new File("webdocs/WEB-INF/config/antisamy.xml");

                  if (!f.exists()) {

                        System.err.println("No file: " + f.getAbsolutePath());



                  System.out.println("Loading " + f.getAbsolutePath());

                  CleanResults cr = antisamy.scan(strObjValue, Policy.getInstance(f));

                  //          serialize the result into text

                  StringWriter sw = new StringWriter();

                  TransformerFactory tfactory = new TransformerFactoryImpl();

                  Transformer serializer = tfactory.newTransformer();

                  Properties oprops = serializer.getOutputProperties(); 

                  oprops.put("method", "HTML");

                  oprops.put("encoding", "UTF-8");

                  oprops.put("omit-xml-declaration", "yes");

                  oprops.put("indent", "no");

                  oprops.put("standalone", "yes");

                  oprops.put("{http://xml.apache.org/xalan}indent-amount", "0");

      //          com.knowledgeplanet.xml.serializer.SimpleEntities is a custom file added to the xalan serializer jar.



                  serializer.transform(new DOMSource(cr.getCleanXMLDocumentFragment()),new StreamResult(sw));

                  strObjValue = sw.toString();



                  if (cr.getNumberOfErrors() > 0) {



            } catch (Exception e) {







Output is:


Loading C:\dev\code\Core\HEAD\engineering\lms\Project\webdocs\WEB-INF\config\antisamy.xml

<b>Hello World!</b>


<b>Hello World!</b>


Thanks for the assistance in advance,



Joel Worrall

Director of Development 

Learning & Workplace Communities
5095 Ritter Road * Mechanicsburg, PA  17055
Learn more:  http://mzinga.com/v/jworrall/
Toll Free:  888.MZINGA.8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080524/b2572b6f/attachment-0001.html 

More information about the Owasp-antisamy mailing list