[Owasp-antisamy] escaped tags goes thru without getting removed

Serge Droganov sergei at droganov.ru
Wed Apr 15 16:13:55 EDT 2009


Hi,
As for the cheat sheets....

I guess AntiSamy should pass most of them or even all... Just because  
those cheat sheets are made against a set of ReReplace filters witch  
work on a string level, and AntiSamy works at object level and uses  
Much or ReFind expressions (not sure witch one because I didn't  
inspect the code).

A few good ideas how to find holes:

1. Inspect policy files and check if something wrong there
  2. Parse a number of webpages with it and see what is passed (a  
really big hole was found with this method some time ago)

Thank you,
Serge

On Apr 14, 2009, at 11:23 PM, Girish wrote:

> Jason,
> btw,  is antisamy tested against RSnake's cheat sheet ? if so, how  
> are the results ?
>
> thanks,
> Girish



More information about the Owasp-antisamy mailing list