[Owasp-antisamy] escaped tags goes thru without getting removed

Marcin Wielgoszewski marcinw86 at gmail.com
Mon Apr 13 11:44:11 EDT 2009


Do you have action="remove"?

example:
<tag name="script" action="remove"/>

-Marcin
tssci-security.com

On Fri, Apr 10, 2009 at 6:52 PM, Girish <ivgirish at yahoo.com> wrote:
> I am using 1.3 version and i have tried all the 4 policy files. They all
> give the same result.
>
> For example, if my html is this (passing line by line to antisamy):
>
>      <script>alert('Channel Title Description Vulnerability -
> Type 2')</script>
>      <script>alert('Channel Link Vulnerability - Type
> 2')</script>
>      javascript:alert('Channel Image URL Vulnerability - Type 1');
>
> the output I am getting is:
>
>      &lt;script&gt;alert('Channel Title Description
> Vulnerability - Type 2')&lt;/script&gt;
>      &lt;script&gt;alert('Channel Link Vulnerability - Type
> 2')&lt;/script&gt;
>      javascript:alert('Channel Image URL Vulnerability - Type 1');
>
> any idea on how to remove the tags like
> script/javascript/embed/frame/etc even if they are escaped.
>
>
>
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>


More information about the Owasp-antisamy mailing list