[Owasp-antisamy] Indefinite loop in "org.owasp.validator.html.scan.AntiSamyDOMScanner" class

Gang Zheng gzheng at gmail.com
Tue Nov 18 11:48:08 EST 2008


Hi,

While using AntiSamy for filtering the user inputs, I noticed one problem.

Certain input string in the attribute of HTML tag will cause an
indefinite loop in method "recursiveValidateTag()" of
"AntiSamyDOMScanner.java".

To reproduce, use the code below:

 String userInput = "<a onblur=\"alert(secret)\"
href=\"http://www.google.com\">Google</a>";
 AntiSamy as = new AntiSamy();
 CleanResults cr = as.scan(userInput, getPolicy());

You will get into an indefinite loop and eventually get OutOfMemoryError.

This is on version 1.2.

The problem occurs at line #500 of AntiSamyDOMScanner.java, where
removeAttribute() is called by passing in attr.getName(). Instead, it
should use original attribute name from the input text, which is
"attribute.getNodeName()".

I changed Line #500 from

 ele.removeAttribute(attr.getName());

to

 ele.removeAttribute(attribute.getNodeName());

and it's working fine.

I am not sure if this is a known issue, but I hope you guys can verify
and incorporate the fix into next release.

Thanks for the great work!

- Gang Zheng


More information about the Owasp-antisamy mailing list