[Owasp-antisamy] escaped tags goes thru without getting removed

Girish ivgirish at yahoo.com
Fri Apr 10 18:52:59 EDT 2009


I am using 1.3 version and i have tried all the 4 policy files. They all 
give the same result.

For example, if my html is this (passing line by line to antisamy):

      <script>alert('Channel Title Description Vulnerability - 
Type 2')</script>
      <script>alert('Channel Link Vulnerability - Type 
2')</script>
      javascript:alert('Channel Image URL Vulnerability - Type 1');

the output I am getting is:

      <script>alert('Channel Title Description 
Vulnerability - Type 2')</script> 
      <script>alert('Channel Link Vulnerability - Type 
2')</script>    
      javascript:alert('Channel Image URL Vulnerability - Type 1');

any idea on how to remove the tags like 
script/javascript/embed/frame/etc even if they are escaped.







More information about the Owasp-antisamy mailing list