[Owasp-antisamy] Initial thoughts on .Net antisamy

rbirkby at gmail.com rbirkby at gmail.com
Fri Apr 24 09:35:29 EDT 2009


Greetings,

My first foray into AntiSamy has unfortunately ended with it being  
unlinkable into my project. Here are some of my thoughts during the  
investigation:

1) It would be nice if you included NUnit in the distro/svn - currently the  
project is not buildable except by removing the NUnit refs and setting the  
Test class to not compile.

2) It would be nice if the policy resources were compiled into the  
assembly. Not everyone is hosting the AntiSamy assembly inside of the ASP  
process. For example, I would like to run AntiSamy inside a  
ServicedComponent dllhost process (allowing AntiSamy to be called from  
VBScript).

3) The Java Policy.getInstance API accepts a stream. The .Net API does not.  
A .Net ServicedComponent doesn't really know which directory it is in,  
which makes it difficult to obtain a filepath - please add a Stream factory  
method to Policy (see the patch below).

4) I'd much prefer C# ISO standard naming conventions in the API rather  
than conventions mimicing Java (ie members are pascal case not camel case).  
Also in the documentation too: _as is an unlikely name for a local variable.

5) The subversion location is:
http://owaspantisamy.googlecode.com/svn/trunk/dotNet/current/source/  
owaspantisamy/

Notice this has an extra space character before owaspantisamy. Surely not  
intentional?

6) Policy .ctor states it throws a PolicyException. It doesn't, it catches  
all exceptions and writes to stdout.

7) There's an unused AssemblyInfo.cs in the root of the project.

8) Please give AntiSamy a strong name. There are several deployment  
scenarios which require a strong name. (this would also require Flute to  
have a Strong Name too)


Unfortunately, at that point my experiments with AntiSamy had to end. The  
lack of Strong Name on Flute and inability to give it one due to closed  
source meant that I'm unable to link against AntiSamy.

I've included my Policy.cs diff/patch which allows Stream support below.  
It's untested and a bit rough and ready.


Thanks,
Richard


Index: Policy.cs
===================================================================
--- Policy.cs (revision 110)
+++ Policy.cs (working copy)
@@ -114,6 +114,18 @@
return _instance;
}

+ /// <summary> This retrieves a Policy based on the Stream object passed  
in</summary>
+ /// <param name="stream">A Stream object which contains the XML policy  
information.
+ /// </param>
+ /// <returns> A populated Policy object based on the XML policy file  
pointed to by the stream parameter.
+ /// </returns>
+ /// <throws> PolicyException If there is a problem parsing the file.  
</throws>
+ public static Policy getInstance(Stream stream)
+ {
+ _instance = new Policy(stream);
+ return _instance;
+ }
+
/// <summary> Load the policy from an XML file.</summary>
/// <param name="file">Load a policy from the File object.
/// </param>
@@ -131,26 +143,10 @@
{
try
{
- XmlDocument doc = new XmlDocument();
- doc.Load(filename);
-
- XmlNode commonRegularExpressionListNode =  
doc.GetElementsByTagName("common-regexps")[0];
- this.commonRegularExpressions =  
parseCommonRegExps(commonRegularExpressionListNode);
-
- XmlNode directiveListNode = doc.GetElementsByTagName("directives")[0];
- this.directives = parseDirectives(directiveListNode);
-
- XmlNode commonAttributeListNode =  
doc.GetElementsByTagName("common-attributes")[0];
- this.commonAttributes = parseCommonAttributes(commonAttributeListNode);
-
- XmlNode globalAttributesListNode =  
doc.GetElementsByTagName("global-tag-attributes")[0];
- this.globalAttributes = parseGlobalAttributes(globalAttributesListNode);
-
- XmlNode tagListNode = doc.GetElementsByTagName("tag-rules")[0];
- this.tagRules = parseTagRules(tagListNode);
-
- XmlNode cssListNode = doc.GetElementsByTagName("css-rules")[0];
- this.cssRules = parseCSSRules(cssListNode);
+ using(FileStream stream = File.OpenRead(filename))
+ {
+ parsePolicyStream(stream);
+ }
}
catch (Exception ex)
{
@@ -159,8 +155,43 @@
}
}

+ /// <summary> Load the policy from an XML stream.</summary>
+ /// <param name="stream">Load a policy from the stream specified.
+ /// </param>
+ /// <throws> PolicyException </throws>
+ private Policy(Stream stream)
+ {
+ parsePolicyStream(stream);
+ }

+ /// <summary>
+ /// Parses the policy stream.
+ /// </summary>
+ /// <param name="stream">The stream.</param>
+ private void parsePolicyStream(Stream stream)
+ {
+ XmlDocument doc = new XmlDocument();
+ doc.Load(stream);

+ XmlNode commonRegularExpressionListNode =  
doc.GetElementsByTagName("common-regexps")[0];
+ this.commonRegularExpressions =  
parseCommonRegExps(commonRegularExpressionListNode);
+
+ XmlNode directiveListNode = doc.GetElementsByTagName("directives")[0];
+ this.directives = parseDirectives(directiveListNode);
+
+ XmlNode commonAttributeListNode =  
doc.GetElementsByTagName("common-attributes")[0];
+ this.commonAttributes = parseCommonAttributes(commonAttributeListNode);
+
+ XmlNode globalAttributesListNode =  
doc.GetElementsByTagName("global-tag-attributes")[0];
+ this.globalAttributes = parseGlobalAttributes(globalAttributesListNode);
+
+ XmlNode tagListNode = doc.GetElementsByTagName("tag-rules")[0];
+ this.tagRules = parseTagRules(tagListNode);
+
+ XmlNode cssListNode = doc.GetElementsByTagName("css-rules")[0];
+ this.cssRules = parseCSSRules(cssListNode);
+ }
+
/// <summary> Go through <directives> section of the policy file.</summary>
/// <param name="directiveListNode">Top level of <directives>
/// </param>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090424/62a9488b/attachment.html 


More information about the Owasp-antisamy mailing list