[Owasp-antisamy] can antisamy maintain case in output?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Sat May 24 20:14:52 EDT 2008


I will consider adding this as a directive in the policy file. Can you enter it into the Google Code issues page?
 
Thanks,
Arshan
 
http://code.google.com/p/owaspantisamy/issues/list

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Joel Worrall
Sent: Mon 4/28/2008 6:05 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] can antisamy maintain case in output?



I've run into an issue/feature with AntiSamy where it appears to automatically lower-case input. 

 

If I input a value of:

 

 <B>Hello World!</B>

 

AntiSamy outputs:

 

<b>Hello World!</b>

 

The example is trivial, but the implecations are significant for my project, where some of the valid input I process is camel-cased XML. Why is it doing this? Is there any way to stop this? I have input I'm parsing that I would prefer remains in camel case.

 

FYI, here is the code I'm using to scrub the content and write it to a new string:

 

import java.io.File;

import java.io.StringWriter;

import java.util.Properties;

 

import javax.xml.transform.Transformer;

import javax.xml.transform.TransformerFactory;

import javax.xml.transform.TransformerException;

import javax.xml.transform.dom.DOMSource;

import javax.xml.transform.stream.StreamResult;

 

import org.apache.xalan.processor.TransformerFactoryImpl;

import org.owasp.validator.html.AntiSamy;

import org.owasp.validator.html.CleanResults;

import org.owasp.validator.html.Policy;

import org.owasp.validator.html.PolicyException;

import org.owasp.validator.html.ScanException;

 

public class TestXSS {

 

      /**

       * @param args

       */

      public static void main(String[] args) {

            // TODO Auto-generated method stub

            try {

                  AntiSamy antisamy = new AntiSamy();

      

                  String strObjValue = "<B>Hello World!</B>";

                  File f = new File("webdocs/WEB-INF/config/antisamy.xml");

                  if (!f.exists()) {

                        System.err.println("No file: " + f.getAbsolutePath());

                        System.exit(-1);

                  }

                  System.out.println("Loading " + f.getAbsolutePath());

                  CleanResults cr = antisamy.scan(strObjValue, Policy.getInstance(f));

                  //          serialize the result into text

                  StringWriter sw = new StringWriter();

                  TransformerFactory tfactory = new TransformerFactoryImpl();

                  Transformer serializer = tfactory.newTransformer();

                  Properties oprops = serializer.getOutputProperties(); 

                  oprops.put("method", "HTML");

                  oprops.put("encoding", "UTF-8");

                  oprops.put("omit-xml-declaration", "yes");

                  oprops.put("indent", "no");

                  oprops.put("standalone", "yes");

                  oprops.put("{http://xml.apache.org/xalan}indent-amount", "0");

      //          com.knowledgeplanet.xml.serializer.SimpleEntities is a custom file added to the xalan serializer jar.

                  oprops.put("{http://xml.apache.org/xalan}entities","com.knowledgeplanet.xml.serializer.SimpleEntities");

                  serializer.setOutputProperties(oprops);

                  serializer.transform(new DOMSource(cr.getCleanXMLDocumentFragment()),new StreamResult(sw));

                  strObjValue = sw.toString();

                  System.out.println(cr.getCleanHTML());

                  System.out.println(strObjValue);

                  if (cr.getNumberOfErrors() > 0) {

                        System.out.println(cr.getErrorMessages().get(0).toString());

                  }

            } catch (Exception e) {

                  e.printStackTrace(System.err);

            }

      }

 

}

 

Output is:

 

Loading C:\dev\code\Core\HEAD\engineering\lms\Project\webdocs\WEB-INF\config\antisamy.xml

<b>Hello World!</b>

 

<b>Hello World!</b>

 

Thanks for the assistance in advance,

joel

 

Joel Worrall

Director of Development 

Learning & Workplace Communities
Mzinga
5095 Ritter Road * Mechanicsburg, PA  17055
---------------------------------------------------
Learn more:  http://mzinga.com/v/jworrall/
Toll Free:  888.MZINGA.8

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080524/b2572b6f/attachment-0001.html 


More information about the Owasp-antisamy mailing list