[Owasp-antisamy] escaped tags goes thru without getting removed

Serge Droganov sergei at droganov.ru
Wed Apr 15 16:13:55 EDT 2009

As for the cheat sheets....

I guess AntiSamy should pass most of them or even all... Just because  
those cheat sheets are made against a set of ReReplace filters witch  
work on a string level, and AntiSamy works at object level and uses  
Much or ReFind expressions (not sure witch one because I didn't  
inspect the code).

A few good ideas how to find holes:

1. Inspect policy files and check if something wrong there
  2. Parse a number of webpages with it and see what is passed (a  
really big hole was found with this method some time ago)

Thank you,

On Apr 14, 2009, at 11:23 PM, Girish wrote:

> Jason,
> btw,  is antisamy tested against RSnake's cheat sheet ? if so, how  
> are the results ?
> thanks,
> Girish

More information about the Owasp-antisamy mailing list