[Owasp-antisamy] AntiSAMY Defect (Shishir Kumar)

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Sep 19 12:27:54 EDT 2008


Could you be using an older version or an old version of the NekoHTML  
jar?

Arshan



On Sep 19, 2008, at 12:17 PM, "Carlos Aguayo"  
<carlos.aguayo at gmail.com> wrote:

> I can't reproduce this either.
>
>> --- 
>> -------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 19 Sep 2008 16:59:32 +0530
>> From: "Shishir Kumar" <shishirroy2000 at gmail.com>
>> Subject: [Owasp-antisamy] AntiSAMY Defect
>> To: owasp-antisamy at lists.owasp.org,
>>       arshan.dabirsiaghi at aspectsecurity.com
>> Message-ID:
>>       <49e43b590809190429k34a5dd21u44ca93b82269166a at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi,
>>
>> I found that if user input text at UI as:
>>
>> <script type=\"text/javascript\">document.write(\"Hello World!\");</ 
>> script>
>>
>> The scan goes to infinite loop and throws OutOfMemoryError
>>
>> as.scan(inputData, policy);
>>
>> Note: For Input below input it works fine. So the problem is  
>> something with
>> \
>>
>> <script type="text/javascript">document.write("Hello World!");</  
>> script >
>>
>> Regards,
>>
>> Shishir Kumar
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080919/5e6d75ee/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Fri, 19 Sep 2008 17:31:49 +0400
>> From: Serge Droganov <sergei at droganov.ru>
>> Subject: Re: [Owasp-antisamy] AntiSAMY Defect
>> To: "Shishir Kumar" <shishirroy2000 at gmail.com>
>> Cc: owasp-antisamy at lists.owasp.org
>> Message-ID: <209C0B6D-479D-4925-8E15-E84A14F645FF at droganov.ru>
>> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>>
>> Hi,
>> That's probably not about AntiSamy. I can't get infinite loop.
>> http://blog.supremedesign.ru/xss
>>
>>
>> On Sep 19, 2008, at 3:29 PM, Shishir Kumar wrote:
>>
>>> <script type=\"text/javascript\">document.write(\"Hello World!\");</
>>> script>
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>> End of Owasp-antisamy Digest, Vol 11, Issue 2
>> *********************************************
>>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy


More information about the Owasp-antisamy mailing list