[Owasp-antisamy] policy file questions

Frank Pedroza frank.pedroza at gmail.com
Fri Apr 3 13:16:58 EDT 2009


Looking at the source code, the tag action attribute seems to support:
filter, validate, truncate, remove (assumed)

So what's truncate used for?

On Fri, Mar 27, 2009 at 4:29 PM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

>
> To answer your specific questions
>
> 2. Let me specify the difference here between action="remove",
> action="filter" (which is default) and action="validate". Before I do that
> though, you should understand my terminology. Consider the following
> snippet:
>
> <script>alert(document.domain)</script>
>
> In the DOM, that is 2 separate elements. The parent element is <script>,
> and the child element is the text node "alert(document.domain)".
>
> With that in mind, let's talk about the actions. The "remove" action
> removes both DOM elements in question - the parent tag and the text
> children. The "filter" action removes the parent tag, but promotes the text
> content. If you set the action on "script" to "filter", the same text, after
> being run through the validator, would be this:
>
> alert(document.domain)
>
> Since JavaScript text content won't make sense as text to be shown to
> users, we set the action for "script" to be "remove". However, the same
> isn't necessarily true for the "b" tag, for example. Imagine you didn't want
> bold tags for some reason. You probably still want to keep the text that the
> user put between the tags, so you set action="filter" and AntiSamy will rip
> out the tags themselves, but keep the inner text.
>
>


>
> ------------------------------
> **
>
> 2) I don't want to allow the <script> tag at all.  Do I need to include the
> following in the <tag-rules>?  I'd prefer that validation just fail if
> someone tries to use these tags.
>
>         <tag name="script" action="remove"/>
>         <tag name="noscript" action="remove"/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090403/5e8193f5/attachment.html 


More information about the Owasp-antisamy mailing list