[Owasp-antisamy] policy file questions

Jason Li jason.li at owasp.org
Tue Apr 14 03:14:45 EDT 2009


Sorry for the delayed response.

Truncate removes any attributes and nested tags.

For example, if you specified the truncate action on the <strong> tag,
then the following example:
<strong id="test" class="my-bold" style="color: red">This is some
<em>example</em> text</strong>

Would become:
<strong>This is some  text</strong>

Hope that helps!

-Jason Li-
-jason.li at owasp.org-

On Fri, Apr 3, 2009 at 1:16 PM, Frank Pedroza <frank.pedroza at gmail.com> wrote:
> Looking at the source code, the tag action attribute seems to support:
> filter, validate, truncate, remove (assumed)
> So what's truncate used for?
> On Fri, Mar 27, 2009 at 4:29 PM, Arshan Dabirsiaghi
> <arshan.dabirsiaghi at aspectsecurity.com> wrote:
>> To answer your specific questions
>> 2. Let me specify the difference here between action="remove",
>> action="filter" (which is default) and action="validate". Before I do that
>> though, you should understand my terminology. Consider the following
>> snippet:
>> <script>alert(document.domain)</script>
>> In the DOM, that is 2 separate elements. The parent element is <script>,
>> and the child element is the text node "alert(document.domain)".
>> With that in mind, let's talk about the actions. The "remove" action
>> removes both DOM elements in question - the parent tag and the text
>> children. The "filter" action removes the parent tag, but promotes the text
>> content. If you set the action on "script" to "filter", the same text, after
>> being run through the validator, would be this:
>> alert(document.domain)
>> Since JavaScript text content won't make sense as text to be shown to
>> users, we set the action for "script" to be "remove". However, the same
>> isn't necessarily true for the "b" tag, for example. Imagine you didn't want
>> bold tags for some reason. You probably still want to keep the text that the
>> user put between the tags, so you set action="filter" and AntiSamy will rip
>> out the tags themselves, but keep the inner text.
>> ________________________________
>> 2) I don't want to allow the <script> tag at all.  Do I need to include
>> the following in the <tag-rules>?  I'd prefer that validation just fail if
>> someone tries to use these tags.
>>         <tag name="script" action="remove"/>
>>         <tag name="noscript" action="remove"/>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

More information about the Owasp-antisamy mailing list