[Owasp-antisamy] policy file questions
jason.li at owasp.org
Tue Apr 14 03:14:45 EDT 2009
Sorry for the delayed response.
Truncate removes any attributes and nested tags.
For example, if you specified the truncate action on the <strong> tag,
then the following example:
<strong id="test" class="my-bold" style="color: red">This is some
<strong>This is some text</strong>
Hope that helps!
-jason.li at owasp.org-
On Fri, Apr 3, 2009 at 1:16 PM, Frank Pedroza <frank.pedroza at gmail.com> wrote:
> Looking at the source code, the tag action attribute seems to support:
> filter, validate, truncate, remove (assumed)
> So what's truncate used for?
> On Fri, Mar 27, 2009 at 4:29 PM, Arshan Dabirsiaghi
> <arshan.dabirsiaghi at aspectsecurity.com> wrote:
>> To answer your specific questions
>> 2. Let me specify the difference here between action="remove",
>> action="filter" (which is default) and action="validate". Before I do that
>> though, you should understand my terminology. Consider the following
>> In the DOM, that is 2 separate elements. The parent element is <script>,
>> and the child element is the text node "alert(document.domain)".
>> With that in mind, let's talk about the actions. The "remove" action
>> removes both DOM elements in question - the parent tag and the text
>> children. The "filter" action removes the parent tag, but promotes the text
>> content. If you set the action on "script" to "filter", the same text, after
>> being run through the validator, would be this:
>> users, we set the action for "script" to be "remove". However, the same
>> isn't necessarily true for the "b" tag, for example. Imagine you didn't want
>> bold tags for some reason. You probably still want to keep the text that the
>> user put between the tags, so you set action="filter" and AntiSamy will rip
>> out the tags themselves, but keep the inner text.
>> 2) I don't want to allow the <script> tag at all. Do I need to include
>> the following in the <tag-rules>? I'd prefer that validation just fail if
>> someone tries to use these tags.
>> <tag name="script" action="remove"/>
>> <tag name="noscript" action="remove"/>
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
More information about the Owasp-antisamy